Professional Documents
Culture Documents
DOMAIN 4
INFORMATION SECURITY INCIDENT MANAGEMENT
DOMAIN 4
Domain 1:
Domain 4:
Information
Information Security
Security
Incident
Governance, 24%
Management, 19%
Domain 3:
Information Security Domain 2:
Program Information Security
Development and Risk Management,
Management, 27% 30%
DOMAIN 4 OVERVIEW
Effective incident management ensures that incidents are detected, recorded and
managed to limit impacts.
Incident response encompasses the planning, coordination and execution of appropriate
mitigation, containment and recovery strategies and actions.
SECTION ONE
PLANNING AND INTEGRATION
TASK STATEMENTS
T4.1 Establish and maintain an organizational definition of, and severity hierarchy for,
information security incidents to allow accurate classification and categorization of and
response to incidents.
T4.2 Establish and maintain an incident response plan to ensure an effective and timely
response to information security incidents.
T4.8 Establish and maintain communication plans and processes to manage
communication with internal and external entities.
T4.10 Establish maintain integration among the incident response plan, business
continuity plan and disaster recovery plan.
TASK TO KNOWLEDGE STATEMENTS
How does Section One relate to each of the following knowledge statements?
How does Section One relate to each of the following knowledge statements?
K4.6 Incidents can move quickly, and having clear thresholds for
notification and escalation helps to get the right people
involved at the right time.
K4.7 Knowing what functions need to be completed and who is
doing them is important in avoiding gaps in planning and
execution.
K4.9 Special considerations apply to collecting and storing data
and equipment that may be needed as evidence in a court
of law.
K4.10 In addition to organizational requirements, law and
regulation may mandate reporting under certain
circumstances.
K4.16 Regular, realistic evaluation and testing of response plans
is important to their being ready for use when needed.
KEY TERMS
Computer forensics The application of the scientific method to digital media to establish factual information
for judicial review.
Event Something that happens at a specific place and/or time.
Gap analysis A method of assessing the differences in performance between the current state of
operations, systems, etc., as compared with the desired state, resulting in a plan to
close any “gaps” discovered.
Incident Any event that is not part of the standard operation of a service and that causes, or may
cause, an interruption to, or a reduction in, the quality of that service.
Incident management team A specific group of people who determines how to manage incidents.
Incident response team A group of people who prepare for and respond to any emergency incident
KEY TERMS
Maximum allowable The absolute longest amount of time that the system can be
downtime unavailable without direct or indirect ramifications to the
organization.
Maximum tolerable Maximum time that an enterprise can support processing in
outage alternate mode.
Recovery point Determined based on the acceptable data loss in case of a
objective disruption of operations. It indicates the earliest point in time
that is acceptable to recover the data. The RPO effectively
quantifies the permissible amount of data loss in case of
interruption.
Recovery time The amount of time allowed for the recovery of a business
objective function or resource after a disaster occurs.
Service delivery Directly related to the business needs, SDO is the level of
objective services to be reached during the alternate process mode until
the normal situation is restored.
Classifying incidents:
• Enables an appropriate response for each incident
• Improves cost effectiveness
• Makes it easier to design detective controls
Malicious code
attacks
Unauthorized
Hoaxes/social access to IT or
engineering information
sources
Unauthorized
changes to systems,
DoS/DDoS attacks
network devices or
Physical Disruption information
THE INCIDENT RESPONSE PLAN
Knowing the organization’s risk appetite and goals is the first step:
• Determine how your organization defines “acceptable” incident response.
• Analyze gap between current and desired capabilities.
• Build a plan to close the gap using good practices.
Central IRT
Distributed IRT
• Each of several teams is responsible for a logical or physical segment of the infrastructure
Coordinating IRT
• A central team provides guidance to distributed IRTs, develops policies and standards,
provides training and exercises and coordinates response
Outsourced IRT
Personal Skills
• Communication
• Writing skills
• Leadership
• Presentation skills
• Team building
• Problem solving
• Time management
Technical Skills
• Technical foundation skills
• Incident-handling skills
MULTI-DISCIPLINARY TEAMS
A permanent spot on the IRT may not be needed, but a point of contact is helpful.
GOOD TO KNOW
Brainstorm scenarios that might require forensic analysis and write them into the plan.
Identify types of forensics that can be handled internally vs. using third-party experts.
COMMUNICATION
Business continuity plans (BCPs) document the ways business processes can resume if
the usual way is interrupted.
BCPs are often activated alongside incident response activities.
BCPs include critical factors:
• RTO
• RPO
• SDO
• MTO
QUALITY-ASSOCIATED FACTORS
Recovery that does not meet RPO/SDO thresholds is not complete and may require
workarounds.
TIME-ASSOCIATED FACTORS
Mirror site: An alternate site that contains the same information as the original
• Configured for high availability
Hot site: A fully operational offsite data processing facility equipped with both hardware
and system software to be used in the event of a disaster
Warm site: Similar to a hot site but not fully equipped with all of the necessary hardware
needed for recovery
Cold site: An IS backup facility that has the necessary electrical and physical
components of a computer facility, but does not have the computer equipment in place
DISCUSSION QUESTION
Sculpture gallery
• Cold site: Information systems most likely have a
minor effect on the business’s operations.
Building the capabilities needed to manage the information risk associated with incidents
requires time, commitment and resources.
Having senior management commitment lends credibility to the program and increase
awareness.
• A business case can be used to demonstrate the cost effectiveness of having an incident
management and response program.
SECTION ONE SUMMARY
T4.6 Organize, train and equip incident response teams to respond to information
security incidents in an effective and timely manner.
T4.7 Test, review and revise (as applicable) the incident response plan periodically to
ensure an effective response to information security incidents and to improve response
capabilities
TASK TO KNOWLEDGE STATEMENTS
How does Section Two relate to each of the following knowledge statements?
How does Section Two relate to each of the following knowledge statements?
K4.14 Plans are most effective when they take into account all of
the resources available to the organizations, including
those provided externally.
K4.16 Regular, realistic evaluation and testing of response plans
is important to their being ready for use when needed.
K4.18 Organizations need objective methods of measuring the
effectiveness of their plans as a basis for refinement
KEY TERMS
Full interruption test A test where operations are shut down at the primary site and shifted to the
recovery site in accordance with the recovery plan
Full operational test A test where the plan is completely executed short of an actual service
disruption
Parallel test A test where the recovery site is brought to a state of operational readiness,
but operations at the primary site continue normally
Preparedness test A localized version of a full test where actual resources are expended in a
simulation of a system crash
Simulation test A test where the team role-plays a prepared scenario
Walk-through A thorough demonstration or explanation that details each step of a process
Testing uses time and resources, so objectives and criteria should be clear.
Focus on:
• Identifying gaps
• Verifying assumptions
• Validating timelines
• Determining the effectiveness of strategies
• Evaluating the performance of personnel
• Determining the accuracy an currency of plan information
TESTING CONSIDERATIONS
Testing
infrastructure,
Testing critical
infrastructure and applications and
recovery of critical end user
Testing applications involvement
infrastructure and
communication
Table-top
walkthrough
with disaster
scenarios
Table-top
walkthrough
of plans
TESTING CATEGORIES
Paper tests
• On-paper walkthroughs to increase awareness
Preparedness tests
• Live rehearsals on real systems in order to identify deficiencies
Actual
operational Cleanup of
Set the
activities are group
Pretest stage for the Test executed to Posttest activities is
actual test
test specific performed
objectives
EVALUATION CRITERIA
Testing can be used to highlight the importance of following procedures and document
skills of the IRT.
An independent third party should monitor and evaluate the test.
Make note of procedures that did not work.
THE IMPORTANCE OF PROCEDURES
As people become familiar with the plan, they will begin to anticipate the steps of the
process.
In incident response, a structured approach must be followed.
Discourage working from memory, documenting activities solely as a formality, etc.
Reinforce this behavior with refresher training and checklists.
SECTION TWO SUMMARY
A. Governance
B. Risk management
C. Compliance
D. Information security
SECTION THREE
IDENTIFICATION AND RESPONSE
TASK STATEMENTS
T4.3 Develop and implement processes to ensure the timely identification of information
security incidents that could impact the business.
T4.4 Establish and maintain incident notification and escalation processes to ensure that
the appropriate stakeholders are involved in incident response management.
T4.5 Establish and maintain incident notification and escalation processes to ensure that
the appropriate stakeholders are involved in incident response management.
T4.9 Conduct post-incident reviews to determine the root cause of information security
incidents, develop corrective actions, reassess risk, evaluate response effectiveness and
take appropriate remedial actions.
TASK TO KNOWLEDGE STATEMENTS
How does Section Three relate to each of the following knowledge statements?
K4.2 Significant experience over time has normalized a basic standard for
incident response planning.
K4.4 How incidents are evaluated and classified has implications for
procedures and trend analysis.
K4.6 Incidents can move quickly, and having clear thresholds for
notification and escalation helps to get the right people involved at
the right time.
K4.7 Knowing what functions need to be completed and who is doing
them is important in avoiding gaps in planning and execution.
TASK TO KNOWLEDGE STATEMENTS
How does Section Three relate to each of the following knowledge statements?
How does Section Three relate to each of the following knowledge statements?
Business impact analysis A process to determine the impact of losing the support of any resource.
Chain of custody A legal principle regarding the validity and integrity of evidence. It requires
accountability for anything that will be used as evidence in a legal proceeding to ensure
that it can be accounted for from the time it was collected until the time it is presented in
a court of law.
Escalation Increasing the scope and intensity of response activities, usually through notification of
higher-level staff within an organization and the addition of resources.
Intrusion detection system Inspects network and host security activity to identify suspicious patterns that may
indicate a network or system attack.
Intrusion prevention system A system designed to not only detect attacks, but also to prevent the intended victim
hosts from being affected by the attacks.
Investigation will often determine no need for further action and initiate the “end of the
emergency.”
Escalate an incident whenever a cause for concern is uncovered OR the timeframe for
completing a task is exceed.
The incident response plan should identify people to be notified along with the new steps
to complete the ongoing response.
EXTERNAL NOTIFICATION
Without identifying the root cause of an incident, similar incidents may continue to occur.
Answer the following questions:
• Who is involved?
• What has happened?
• Where did the attack originate?
• When (what time frame)?
• Why did it happen?
• How was the system vulnerable or how did the attack occur?
• What was the reason for the attack (i.e., the perpetrator’s motivation)?