Cism Domain 4 Information Security Incident Management

CISM
Certified Information
Security Manager
Firebrand Custom Designed Courseware
2016 Firebrand
5/6/2016
Chapter 4
Information Security Incident
Management
2016 Firebrand
5/6/2016
Exam Relevance
Ensure that the CISM candidate
Establish an effective program to respond to and

subsequently manage incidents that threaten an
organizations information systems and infrastructure
The content area in this chapter will represent

approximately 18% of the CISM examination
(approximately 36 questions).
ISACA CISM Review Manual Page 220

2016 Firebrand
5/6/2016
Chapter 4
Learning Objectives
Develop and implement processes

for:
Detecting
Identifying
Analyzing
Responding
To information security incidents

2016 Firebrand
5/6/2016
Learning Objectives cont.
Incident Management process
Establish a severity hierarchy for identification

and response to security incidents
Maintain an incident response plan
Establish processes toidentify and investigate
incidents
Establish escalation and communications plans
Develop a skilled team

2016 Firebrand
5/6/2016
Learning Objectives cont.
Test and refine information security incident response plans
Manage incident response
Conduct post-incident reviews of security incidents to

determine root cause, develop corrective actions and reassess
risk
Integrate incident response plans with business continuity

plans (BCP) and disaster recovery plans (DRP)

2016 Firebrand
5/6/2016
Definition
Any event that has the potential to

Incident adversely impact the ability of the
business to meet its objectives
The capability to effectively manage

unexpected disruptive events
Incident Minimize impacts
management Maintain and restore normal business
operations within defined time limits

2016 Firebrand
5/6/2016
Definition
Incident response
The operational capability of incident

management that identifies, prepares for and
responds to incidents
Provide forensic and investigative
capabilities
Restore normal operations as defined in
service level agreements (SLAs)
Manage the impact of unexpected disruptive
events to acceptable levels

2016 Firebrand
5/6/2016
Definition
Incident Management will

ensure that incidents are
detected, recorded and
managed to limit impacts.

2016 Firebrand
5/6/2016
Goals of Incident Management and
Response
The goals of incident management and

response include:
The ability to deal effectively with
unanticipated events
Detection and monitoring capabilities to
alert staff to a potential incident
Effective notification and reporting to
management
A response plan that is aligned with business
priorities
2016 Firebrand
5/6/2016
Goals of
Incident Response cont.
The ability to learn from past

incidents and prevent future
problems
Regular testing and validation

of the effectiveness of the
plan
2016 Firebrand
5/6/2016
What is an
Incident - Intentional
Malicious code
Unauthorized access to IT systems, facilities, information
Unauthorized use of resources
Unauthorized changes to systems, networks
Denial of service (DOS)
Surveillance, espionage
Social Engineering
Fraud
2016 Firebrand
5/6/2016
What is an
Incident - Unintentional
Equipment failure
Utility failure (power)
Software bugs
Deletion of files
Weather-related issues
2016 Firebrand
5/6/2016
Incident Response Team Members
2016 Firebrand
5/6/2016
Personnel
An Incident Response Team usually

consists of
The Incident Manager (often an
Information Security Manager)
The Team Leader
Steering committee/advisory board
Provide oversight and authority
2016 Firebrand
5/6/2016
Personnel cont.
An
Incident Permanent/dedicated team
members
Response Specialized skills forensics,
audit, communications, legal
Team Representation from key
departments Operations, IT, HR,
usually Finance, Security, Executive, etc.
Virtual/temporary team members
consists External experts
of
2016 Firebrand
5/6/2016
Personnel cont.
The composition of the incident response

team will depend on a number of factors
such as
Mission and goals of the incident response program
Nature and range of services provided
Available staff expertise
Scope and technology base
Anticipated incident load
Severity or complexity of incident reports
Funding
Regulations and legal considerations
2016 Firebrand
5/6/2016
Team Member Skills
The set of basic skills that incident response

team members need can be separated into two
broad groups:
Personal skills
Ability to handle stress
Leadership skills
Expertise based on the incident handlers
daily activity.
Technical skills
Specialized skills in IT, communications, etc
2016 Firebrand
5/6/2016
Skills cont.
Personal skills
Communication
Presentation skills
Ability to follow policies and procedures
Team skills
Integrity
Confidence
Problem solving
Time management
2016 Firebrand
5/6/2016
Skills cont.
Basic understanding of the

underlying technologies
used by the organization
Technical Understanding of the
skills techniques, decision
points and supporting
tools required in incident
management

2016 Firebrand
5/6/2016
Security Concepts
and Technologies
The following security concepts and technologies
should be considered and known to IRTs
Security principles Network applications
and services
Security vulnerabilities/
weaknesses Network security
issues
The Internet
Operating systems
Network protocols
Malicious code
Programming skills

2016 Firebrand
5/6/2016
Organizing, Training and Equipping the
Response Staff
Every incident response team member

should get the following types of training:
Induction to Incident response - basic
information about the team and its
operations
Description of the teams roles,
responsibilities and procedures
On the job training
Formal training
2016 Firebrand
5/6/2016
Review and Audit
of Incident Response

2016 Firebrand
5/6/2016
Value Delivery
To deliver value, incident management should:
Integrate and align with business processes and

structures
Improve the capability of businesses to manage
incidents effectively
Integrate incident management with risk and
business continuity
Become part of an organizations overall
strategy and effort to protect and secure
critical business function and assets

2016 Firebrand
5/6/2016
Performance Measurement
Performance measurements for incident

management and response will focus on
achieving the defined objectives and
optimizing effectiveness
Incident response time
Application of lessons learned
KPIs and KGIs should be defined and agreed

upon by stakeholders and ratified by senior
management

2016 Firebrand
5/6/2016
Reviewing the Current State of Incident
Response Capability
Survey of senior management, business

managers and IT representatives
Self-assessment
External assessment or audit

2016 Firebrand
5/6/2016
Audits
Incidents have been resolved

and closed off
Lessons learned applied to the
organization
Adherence by the incident
Audits (internal and response team to the policies
external) must be and procedures defined by
performed to verify the organization

2016 Firebrand
5/6/2016
History of Incidents
Past incidents provide valuable

information on risk trends, threat types
and business impact due to an incident
Can be used to evaluate the existing plans
Used as input to know the types of incidents
that must be considered and planned for

2016 Firebrand
5/6/2016
Gap Analysis Basis for
an Incident Response Plan
Gap analysis compares current

incident response capabilities with
the desired level.
The Processes that need to be improved

following to be more efficient and effective
Resources needed to achieve the
may be objectives for the incident response
identified: capability

2016 Firebrand
5/6/2016
Preparing the Incident
Response Plan
2016 Firebrand
5/6/2016
Incident Management
and Response
Incident Response
The incident Planning
management Business Continuity
and response Planning
structure
should Disaster Recovery
include: Planning
Recovery of IT systems
2016 Firebrand
5/6/2016
Incident Management
and Response cont.
Plans must be
Clearly documented
Readily accessible
Based on the long range IT plan
Consistent with the overall
business continuity and security
strategies
2016 Firebrand
5/6/2016
Incident Management
and Response cont.
Incident Response planning includes
Incident detection capabilities (ability to

recognize an event (false positive vs. real
event)
Clearly defined severity criteria (catastrophic,
major, minor)
Assessment and triage capabilities (determine
extent of incident)
Declaration criteria (activation of response
teams)
2016 Firebrand
5/6/2016
Importance of Incident Management and
Response
Incident response is required since even

minor incidents may:
Affect business viability
Develop into major incidents
Require public communications plans
Necessitate advising regulators, clients or
other affected stakeholders
Even the best controls cannot prevent

all incidents
2016 Firebrand
5/6/2016
Incident Response Functions
Detection and reporting

Alerting, escalation
Triage
Containment, recovery
Analysis
Root cause, lessons learned
Incident response team skills

Necessary training and experience
2016 Firebrand
5/6/2016
Incident
Management Technologies
Monitor and consolidate inputs from

multiple systems
An effective Identify incidents or potential
incidents
incident Prioritize incidents based on business
management impact
Provide status tracking and
system notifications
should Integrate with major IT management
systems
Follow good practices guidelines

2016 Firebrand
5/6/2016
Responsibilities of the CISM
Developing the information security incident management and

response plans
Handling and coordinating information security incident response

activities
Validating, verifying and reporting on the effectiveness of

protective controls and countermeasure solutions
Planning, budgeting and program development for all matters

related to information security incident management and
response

2016 Firebrand
5/6/2016
Incident Response Responsibilities
The responsibilities of the incident response

include:
Managing the incident so that the impact is contained and
minimal damage occurs
Notifying the appropriate people and escalating the incident
to management when required
Recovering quickly and efficiently from security incidents
Balancing operational and security needs

2016 Firebrand
5/6/2016
Incident Response Responsibilities cont.
Responding systematically and

decreasing the likelihood of cascading
problems or incident recurrence
Dealing with legal and law
enforcement-related issues
Ensuring that the incident response is
The responsibilities documented
of incident Following up on lessons learned to
response include: enhance controls

2016 Firebrand
5/6/2016
Requirements for Incident Response
Managers
Have the leadership skills necessary to manage crisis

teams
Understand business priorities and culture
Have the experience, knowledge, and the authority

to invoke the disaster recovery processes necessary
to maintain or recover operational status

2016 Firebrand
5/6/2016
Senior Management Involvement
Senior management provides

strategic direction during the crisis
Reporting of the incident is
escalated to senior management
Decisions and direction are passed
down to the incident management
teams
2016 Firebrand
5/6/2016
The Desired State
Incident management and response requires
Well-developed monitoring capabilities for

key controls
Personnel trained in assessing the situation,
capable of providing triage, and managing
effective responses
Managers that have made provisions to
capture all relevant information and apply
previously learned lessons

2016 Firebrand
5/6/2016
Strategic Alignment of Incident
Response
Scope what incidents are the responsibility

Incident of the Incident response team
management Services services should be clearly defined
Organizational structure Reporting and
must be oversight
aligned with Resources sufficient staffing and skills
necessary for effective response
the Funding sufficient funding as required to
organizations manage incident response
Management buy-in Senior management
strategic plan buy-in is essential

2016 Firebrand
5/6/2016
Creating a Detailed Incident
Response Plan
2016 Firebrand
5/6/2016
Detailed Plan of Action for Incident
Management
The incident management action plan

outlined in the CMU/SEI technical report
titled Defining Incident Management
Processes:
Prepare/improve/sustain (prepare)
Protect infrastructure (protect)
Detect events (detect)
Triage events (triage)
Respond
2016 Firebrand
5/6/2016
Management - Prepare
Prepare/improve/sustain (prepare)
phase:
Coordinate planning and design.
Identify incident management
requirements.
Establish vision and mission.
Obtain funding and sponsorship.
Develop implementation plan.
Coordinate implementation.
2016 Firebrand
5/6/2016
Management Prepare cont.
Prepare/improve/sustain (prepare) phase

Develop policies, processes and plans.
Establish incident handling criteria.
Implement defined resources.
Evaluate incident management capability.
Conduct postmortem review.
Determine incident management process changes.
Implement incident management process changes.

2016 Firebrand
5/6/2016
Management - Protect
Protect infrastructure (protect) phase
Implement changes to computing infrastructure

to mitigate ongoing or potential incident.
Implement infrastructure protection
improvements from postmortem reviews or other
process improvement mechanisms.
Evaluate computing infrastructure by performing
proactive security assessments and evaluations.
Provide input to detect processes on
incidents/potential incidents.

2016 Firebrand
5/6/2016
Management - Detect
Proactive detectionThe detection

Detect process is conducted prior to
incident alert. This will enable the
events response team to detect attack
precursors, false negatives and
(detect) emerging threats.

Reactive detectionThe detection
phase process is conducted when there are

reports of possible incidents from
system users or other organizations

2016 Firebrand
5/6/2016
Management - Triage
Triage
Requires initial gathering of incident data,

incident severity determination, notification
and activation of incident response team
Can be done on two levels
Tactical - Based on a set of criteria
Strategic - Based on the impact of business

2016 Firebrand
5/6/2016
Detailed Plan of Action for Incident Management
- Response
Technical response
Collecting data for further analysis
Analyzing incident supporting
information such as log files
Technical mitigation strategies and
recovery options
Development and deployment of
Response workarounds
Management response
Legal response

2016 Firebrand
5/6/2016
Elements of an Incident Response Plan
Another approach to the development

of an incident response plan
Preparation
Identification
Containment
Eradication
Recovery
Lessons learned
2016 Firebrand
5/6/2016
Crisis Communications
Internal
One of the Staff, management, business units
greatest External
challenges in a Business partners
crisis is Shareholders
effective General public
communications Government and regulatory bodies
Law Enforcement

2016 Firebrand
5/6/2016
Challenges in Developing an Incident
Management Plan
Unanticipated challenges may be the

result of
Lack of management buy-in and
organizational consensus
Mismatch to organizational goals and
priorities
Incident management team member turnover
Poor communications
Complex and wide plan
2016 Firebrand
5/6/2016
Responding to an Incident
2016 Firebrand
5/6/2016
When an Incident Occurs
If an incident occurs:
The Incident response team should follow the

procedures set out in the Incident response
plan
Properly document (record and preserve) all
information related to the incident
Follow data/evidence preservation procedures
Take precautions to avoid changing, altering or
contaminating any potential or actual evidence

2016 Firebrand
5/6/2016
During an Incident
The
Retrieving information
initial needed to confirm an
response incident
False positive or real
to an event
incident Notify incident manager
and activate incident
should response teams
include:
2016 Firebrand
5/6/2016
During an Incident cont.
Identifying the scope and size of the affected

environment (e.g., networks, systems, applications)
Contain the incident and minimize the potential for further
damage
Determining the degree of loss, modification or

damage (if any)
Identifying the possible path or means of attack
Restore critical services

2016 Firebrand
5/6/2016
Containment Strategies
During an
incident it is Network isolation and
critically segmentation
important to Fire doors and fire
contain the suppression
crisis and Fail secure
attempt to Multiple suppliers
minimize the
Multiple facilities
amount of
damage that Cross trained staff
occurs.
2016 Firebrand
5/6/2016
The Battle Box
Preloaded kits containing the tools and support

materials needed by the response team in a crisis
Flashlights
Communications (radio, satellite phones)
Battery
Forms and documentation, pens
Tools
Protective clothing
First aid kits
Evidence collection bags
2016 Firebrand
5/6/2016
Evidence Identification and
Preservation
The CISM must know
Requirements for collecting and preserving

evidence
Rules for evidence, admissibility of
evidence, and quality and completeness of
evidence
The consequences of any contamination of
evidence following a security incident
Consider enlisting the help of third-party
specialists if detailed forensic skills are
needed
2016 Firebrand
5/6/2016
Post Event Reviews
Post Event Reviews allow lessons

learned to be applied to future
incidents
Use information gathered to improve response

procedures
Do reviews with all affected staff
Follow up on all lessons

2016 Firebrand
5/6/2016
Business Continuity and
Disaster Recovery Planning
2016 Firebrand
5/6/2016
Disaster Recovery Planning (DRP) and Business
Recovery Processes
Disaster recovery has traditionally

been defined as the recovery of IT
systems from disastrous events
Business recovery (resumption) is

defined as the recovery of the
critical business processes necessary
to continue or resume operations.
2016 Firebrand
5/6/2016
Development of BCP and DRP
Each of these planning processes typically

includes several main phases, including:
Risk and business impact assessment
Response and recovery strategy definition
Documenting response and recovery plans
Training all users and response teams
Updating response and recovery plans
Testing response and recovery plans
Auditing response and recovery plans
2016 Firebrand
5/6/2016
Plan Development
Plan development factors

include:
Pre-incident readiness
Evacuation procedures
How to declare a disaster
Identifying the business processes and IT
resources that should be recovered
Identifying the responsibilities in the plan
2016 Firebrand
5/6/2016
Plan Development cont.
Identifying contact information

The step-by-step explanation of
Plan the recovery options
development Identifying the various resources
required for recovery and
factors continued operations
include: Ensuring that other logistics such
as personnel relocation and
temporary housing are considered

2016 Firebrand
5/6/2016
Developing Response
and Recovery Plans
Factors to
consider Available resources
when Expected services
developing levels
response Types, kinds, and
and severity of threats
recovery faced by the
plans organization
include:
2016 Firebrand
5/6/2016
Recovery Strategies
Recovery strategies must be

sustainable for the entire period of
recovery until business processes
are restored to normal
Doing nothing until recovery facilities are

Strategies ready
may Using manual procedures / workarounds

Focusing on the most important customers,
include: suppliers, products, and systems with
resources that are still available

2016 Firebrand
5/6/2016
Recovery Strategies
The ability to recover within

acceptable recovery times at
The most a reasonable cost
appropriate Which recovery strategies are
recovery available
strategy is Several options may be
considered including
based on: outsourcing of certain
functions

2016 Firebrand
5/6/2016
Basis for
Recovery Strategy Selections
Response and recovery strategy plans should be

based on the following considerations:
Interruption window
RTOs
RPOs
Services delivery objectives (SDOs)
Maximum tolerable outages (MTOs) / Maximum
Tolerable Period of Disruption (MTPD)
Location
Nature of probable disruptions
2016 Firebrand
5/6/2016
Disaster Recovery Sites
Types of offsite backup hardware

facilities available include:
Hot sites
Warm sites
Cold sites
Mobile sites
Duplicate information processing facilities
Mirror sites
2016 Firebrand
5/6/2016
Disaster Recovery Sites cont.
Criteria for selecting alternate sites for

processing in the event of a disaster
include:
The recovery site should not be subject to
the same disaster(s) as the primary site
Availability of similar hardware /software
Ability to move people and resources to
the recovery location
Ability to test the recovery strategy

2016 Firebrand
5/6/2016
Recovery
of Communications
Alternative / Diverse routing

Long-haul network diversity
Voice recovery
Availability of appropriate circuits
and adequate bandwidth
Recovery of IT facilities Availability of out-of-band
involves communications in case of failure
telecommunications of primary communication
and network recovery methods

2016 Firebrand
5/6/2016
Notification Requirements
Plan
should Representatives of equipment and
software vendors
include a Contacts within companies that
call tree have been designated to provide
supplies and equipment or services
with a Contacts at recovery facilities,
prioritized including hot-site representatives
or predefined network
list of communications rerouting services
contacts
2016 Firebrand
5/6/2016
Notification
Requirements cont.
Plan should include a call tree with a

prioritized list of
Contacts at off-site media storage facilities
and the contacts within the company who are
authorized to retrieve media from the off-
site facility
Insurance company agents
Contacts at human resources (HR) and/or
contract personnel services
Law enforcement contacts
2016 Firebrand
5/6/2016
Response Teams
Number of teams depends upon

size of organization and magnitude
of operations - examples include:
The emergency action team
Damage assessment team
Emergency management team
Relocation team
Security team
2016 Firebrand
5/6/2016
Insurance
Types of insurance coverage
IT equipment and facilities

Media (software) reconstruction
Extra expense
Business interruption
Valuable papers and records
Errors and omissions
Fidelity coverage
Media transportation
2016 Firebrand
5/6/2016
Testing Response
and Recovery Plans
Testing must include:

Developing test objectives
Executing the test
Evaluating the test
Developing recommendations to improve the
effectiveness of testing processes as well as
response and recovery plans
Implementing a follow-up process to ensure
that the recommendations are implemented
2016 Firebrand
5/6/2016
Types of Tests
Tests can include:
Desk check / Table-top walk-through of the plans

Table-top walk-through with mock disaster
scenarios (simulation tests)
Testing the infrastructure and communication
components of the recovery plan
Testing the infrastructure and recovery of the
critical applications (parallel tests)
Full restoration and recovery tests with some
personnel unfamiliar with the systems

2016 Firebrand
5/6/2016
Test Results
Verify the completeness and

effectiveness of the response and
recovery plans
Evaluate the performance of the
personnel involved in the exercise
Evaluate the coordination among the
team members and external vendors
The test should and suppliers
strive to: Indicate areas where improvements to
the plan are necessary

2016 Firebrand
5/6/2016
Test Results cont.
Measure the ability and capacity of the

backup site to perform required
The test processing
Ensure vital records / data can be
should retrieved
Evaluate the state and quantity of
strive equipment and supplies that have been

relocated to the recovery site
to:
Measure the overall performance of
operational and information systems
related to maintaining the business
entity

2016 Firebrand
5/6/2016
Plan Maintenance Activities
The BCP and DR plans must be maintained through:
Developing a schedule for periodic review and

maintenance of the plan
Updating plan with personnel changes, phone
numbers and responsibilities or status within the
company
Updating the plan whenever significant changes
have occurred
Organizational change
Results of tests or incidents

2016 Firebrand
5/6/2016
BCP and DRP Training
Training must be provided for all

staff dependent on their
responsibilities:
Develop a schedule for training personnel
in emergency and recovery procedures
Users
Team members
Local business unit liaisons
2016 Firebrand
5/6/2016
End of Chapter
This concludes the 2016 CISM Course
2016 Firebrand
5/6/2016

Cism Domain 4 Information Security Incident Management

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Cism Domain 4 Information Security Incident Management

Hochgeladen von

Copyright:

Verfügbare Formate

CISM

Ensure that the CISM candidate

Establish an effective program to respond to and

The content area in this chapter will represent

ISACA CISM Review Manual Page 220

Develop and implement processes

To information security incidents

Incident Management process

Establish a severity hierarchy for identification

ISACA CISM Review Manual Page 220

Test and refine information security incident response plans

Manage incident response

Conduct post-incident reviews of security incidents to

Integrate incident response plans with business continuity

ISACA CISM Review Manual Page 220

Any event that has the potential to

The capability to effectively manage

ISACA CISM Review Manual Page 233

The operational capability of incident

ISACA CISM Review Manual Page 234

Incident Management will

ISACA CISM Review Manual Page 234

The goals of incident management and

The ability to learn from past

Regular testing and validation

Unauthorized access to IT systems, facilities, information

Unauthorized use of resources

Unauthorized changes to systems, networks

Denial of service (DOS)

Utility failure (power)

An Incident Response Team usually

The composition of the incident response

The set of basic skills that incident response

Basic understanding of the

ISACA CISM Review Manual Page 239

ISACA CISM Review Manual Page 237

Every incident response team member

ISACA CISM Review Manual Page 240

To deliver value, incident management should:

Integrate and align with business processes and

ISACA CISM Review Manual Page 241

Performance measurements for incident

KPIs and KGIs should be defined and agreed

ISACA CISM Review Manual Page 241

Survey of senior management, business

External assessment or audit

ISACA CISM Review Manual Page 243

Incidents have been resolved

ISACA CISM Review Manual Page 240

Past incidents provide valuable

ISACA CISM Review Manual Page 244

Gap analysis compares current

The Processes that need to be improved

ISACA CISM Review Manual Page 245

Incident Response planning includes

Incident detection capabilities (ability to

Incident response is required since even

Even the best controls cannot prevent

Detection and reporting

Incident response team skills

Monitor and consolidate inputs from

ISACA CISM Review Manual Page 235

Developing the information security incident management and

Handling and coordinating information security incident response