CISM™
Certified Information
Security Manager
Chapter 4
Ensure that the CISM candidate…
Establish an effective program to respond to and
subsequently manage incidents that threaten an
organization’s information systems and infrastructure
The content area in this chapter will represent
approximately 18% of the CISM examination
(approximately 36 questions).
Chapter 4
Learning Objectives
Develop and implement processes
for:
• Detecting
• Identifying
• Analyzing
• Responding
Learning Objectives cont.
Incident Management process
• Establish a severity hierarchy for identification
and response to security incidents
• Maintain an incident response plan
• Establish processes toidentify and investigate
incidents
Learning Objectives cont.
Test and refine information security incident response plans
Manage incident response
Conduct post-incident reviews of security incidents to
determine root cause, develop corrective actions and reassess
risk
Definition
• Any event that has the potential to adversely impact the ability of the business to meet its objectives
Incident
• The capability to effectively manage unexpected disruptive events
• Minimize impacts
• Maintain and restore normal business
Incident
Definition
Incident response
• The operational capability of incident
management that identifies, prepares for and
responds to incidents
• Provide forensic and investigative
capabilities
• Restore normal operations as defined in
service level agreements (SLAs)
Definition
Incident Management will
ensure that incidents are
Goals of Incident Management and
Response
The goals of incident management and
response include:
• The ability to deal effectively with
unanticipated events
• Detection and monitoring capabilities to
alert staff to a potential incident
• Effective notification and reporting to
management
Goals of
Incident Response cont.
The ability to learn from past
incidents and prevent future
problems
Regular testing and validation
of the effectiveness of the
What is an
Incident - Intentional
Malicious code
Unauthorized access to IT systems, facilities, information
Unauthorized use of resources
Unauthorized changes to systems, networks
Denial of service (DOS)
What is an
Incident - Unintentional
Equipment failure
Utility failure (power)
Personnel
An Incident Response Team usually
consists of
•The Incident Manager (often an
Information Security Manager)
•The Team Leader
Personnel cont.
• Permanent/dedicated team
members
• Specialized skills – forensics,
audit, communications, legal
• Representation from key
departments – Operations, IT, HR,
Finance, Security, Executive, etc.
• Virtual/temporary team members
Personnel cont.
The composition of the incident response
team will depend on a number of factors
such as
• Mission and goals of the incident response program
• Nature and range of services provided
• Available staff expertise
• Scope and technology base
• Anticipated incident load
Team Member Skills
The set of basic skills that incident response
team members need can be separated into two
broad groups:
• Personal skills
• Ability to handle stress
• Leadership skills
• Expertise based on the incident handler’s
daily activity.
• Technical skills
Skills cont.
Personal skills
• Communication
• Presentation skills
• Ability to follow policies and procedures
• Team skills
• Integrity
• Confidence
Skills cont.
• Basic understanding of the
underlying technologies
used by the organization
• Understanding of the
techniques, decision
points and supporting
tools required in incident
management
Security Concepts
and Technologies
• Security principles
• Security vulnerabilities/
weaknesses
• The Internet
• Network protocols
The following security concepts and technologies
should be considered and known to IRTs
Organizing, Training and Equipping the
Response Staff
Every incident response team member
should get the following types of training:
• Induction to Incident response - basic
information about the team and its
operations
• Description of the team’s roles,
responsibilities and procedures
• On the job training
Value Delivery
To deliver value, incident management should:
• Integrate and align with business processes and
structures
• Improve the capability of businesses to manage
incidents effectively
• Integrate incident management with risk and
business continuity
Performance Measurement
Performance measurements for incident
management and response will focus on
achieving the defined objectives and
optimizing effectiveness
• Incident response time
• Application of lessons learned
Reviewing the Current State of Incident
Response Capability
Survey of senior management, business
managers and IT representatives
Self-assessment
Audits
Audits (internal and
external) must be
performed to verify
• Incidents have been resolved
and closed off
• Lessons learned applied to the
organization
• Adherence by the incident
History of Incidents
Past incidents provide valuable
information on risk trends, threat types
and business impact due to an incident
• Can be used to evaluate the existing plans
• Used as input to know the types of incidents
Gap Analysis – Basis for
an Incident Response Plan
Gap analysis – compares current
incident response capabilities with
the desired level
.
• Processes that need to be improved
to be more efficient and effective
• Resources needed to achieve the
objectives for the incident response
The
Incident Management
and Response cont.
Plans must be
•Clearly documented
•Readily accessible
•Based on the long range IT plan
•Consistent with the overall
Incident Management
and Response cont.
Incident Response planning includes
• Incident detection capabilities (ability to
recognize an event (false positive vs. real
event)
• Clearly defined severity criteria (catastrophic,
major, minor)
• Assessment and triage capabilities (determine
extent of incident)
Importance of Incident Management and
Response
Incident response is required since even
minor incidents may:
• Affect business viability
• Develop into major incidents
• Require public communications plans
• Necessitate advising regulators, clients or
other affected stakeholders
Incident Response Functions
Detection and reporting
• Alerting, escalation
Triage
• Containment, recovery
Analysis
• Root cause, lessons learned
Incident
Management Technologies
• Monitor and consolidate inputs from multiple systems
• Identify incidents or potential incidents
• Prioritize incidents based on business impact
• Provide status tracking and notifications
• Integrate with major IT management systems
• Follow good practices guidelines
An effective
incident
management
system
Responsibilities of the CISM
Developing the information security incident management and response plans
Handling and coordinating information security incident response activities
Validating, verifying and reporting on the effectiveness of protective controls and countermeasure solutions
Incident Response Responsibilities
The responsibilities of the incident response
include:
• Managing the incident so that the impact is contained and
minimal damage occurs
• Notifying the appropriate people and escalating the incident
to management when required
Incident Response Responsibilities cont.
The responsibilities
of incident
response include:
• Responding systematically and
decreasing the likelihood of cascading problems or incident recurrence
• Dealing with legal and law enforcement-related issues
• Ensuring that the incident response is documented
Requirements for Incident Response
Managers
Have the leadership skills necessary to manage crisis
teams
Understand business priorities and culture
Senior Management Involvement
Senior management provides
strategic direction during the crisis
•Reporting of the incident is
escalated to senior management
The Desired State
Incident management and response requires
• Well-developed monitoring capabilities for
key controls
• Personnel trained in assessing the situation,
capable of providing triage, and managing
effective responses
• Managers that have made provisions to
Strategic Alignment of Incident
Response
• Scope – what incidents are the responsibility of the Incident response team
• Services – services should be clearly defined • Organizational structure – Reporting and
oversight
• Resources – sufficient staffing and skills necessary for effective response
• Funding – sufficient funding as required to manage incident response
Detailed Plan of Action for Incident
Management
The incident management action plan
outlined in the CMU/SEI technical report
titled Defining Incident Management
Processes:
• Prepare/improve/sustain (prepare)
• Protect infrastructure (protect)
Detailed Plan of Action for Incident
Management - Prepare
Prepare/improve/sustain (prepare)
phase:
• Coordinate planning and design.
• Identify incident management
requirements.
• Establish vision and mission.
Detailed Plan of Action for Incident
Management – Prepare cont.
Prepare/improve/sustain (prepare) phase
• Develop policies, processes and plans.
• Establish incident handling criteria.
• Implement defined resources.
• Evaluate incident management capability.
• Conduct postmortem review.
Detailed Plan of Action for Incident
Management - Protect
Protect infrastructure (protect) phase
• Implement changes to computing infrastructure
to mitigate ongoing or potential incident.
• Implement infrastructure protection
improvements from postmortem reviews or other
process improvement mechanisms.
• Evaluate computing infrastructure by performing
proactive security assessments and evaluations.
• Provide input to detect processes on
Detailed Plan of Action for Incident
Management - Detect
• Proactive detection—The detection
process is conducted prior to
incident alert. This will enable the
response team to detect attack
precursors, false negatives and
emerging threats.
• Reactive detection—The detection
process is conducted when there are
reports of possible incidents from
system users or other organizations
Detect
events
(detect)
Detailed Plan of Action for Incident
Management - Triage
Triage
Requires initial gathering of incident data,
incident severity determination, notification
and activation of incident response team
• Can be done on two levels
• Tactical - Based on a set of criteria
Detailed Plan of Action for Incident Management
- Response
Response
• Technical response
• Collecting data for further analysis • Analyzing incident supporting
information such as log files
• Technical mitigation strategies and recovery options
• Development and deployment of workarounds
Elements of an Incident Response Plan
Another approach to the development
of an incident response plan
Crisis Communications
• Internal
• Staff, management, business units
• External
• Business partners
• Shareholders
• General public
Challenges in Developing an Incident
Management Plan
Unanticipated challenges may be the
result of
• Lack of management buy-in and
organizational consensus
• Mismatch to organizational goals and
priorities
• Incident management team member turnover
• Poor communications
When an Incident Occurs
If an incident occurs:
• The Incident response team should follow the
procedures set out in the Incident response
plan
• Properly document (record and preserve) all
information related to the incident
• Follow data/evidence preservation procedures
• Take precautions to avoid changing, altering or
During an Incident
• Retrieving information
needed to confirm an
incident
• False positive or real
event
• Notify incident manager
and activate incident
During an Incident cont.
Identifying the scope and size of the affected
environment (e.g., networks, systems, applications)
• Contain the incident and minimize the potential for further damage
Determining the degree of loss, modification or
damage (if any)
Containment Strategies
• Network isolation and
segmentation
• Fire doors and fire
suppression
• Fail secure
• Multiple suppliers
• Multiple facilities
• Cross trained staff
The Battle Box
Preloaded kits containing the tools and support
materials needed by the response team in a crisis
• Flashlights
• Communications (radio, satellite phones)
• Battery
• Forms and documentation, pens
• Tools
• Protective clothing
• First aid kits
Evidence Identification and
Preservation
• Requirements for collecting and preserving
evidence
• Rules for evidence, admissibility of
evidence, and quality and completeness of
evidence
• The consequences of any contamination of
evidence following a security incident
Post Event Reviews
• Use information gathered to improve response
procedures
• Do reviews with all affected staff
• Follow up on all lessons
Post Event Reviews allow lessons
Disaster Recovery Planning (DRP) and Business
Recovery Processes
Disaster recovery has traditionally
been defined as the recovery of IT
systems from disastrous events
Business recovery (resumption) is
defined as the recovery of the
Development of BCP and DRP
Each of these planning processes typically
includes several main phases, including:
• Risk and business impact assessment
• Response and recovery strategy definition
• Documenting response and recovery plans
• Training all users and response teams
Plan Development
Plan development factors
include:
• Pre-incident readiness
• Evacuation procedures
• How to declare a disaster
• Identifying the business processes and IT
resources that should be recovered
Plan Development cont.
• Identifying contact information
• The step-by-step explanation of
the recovery options
• Identifying the various resources
required for recovery and
continued operations
• Ensuring that other logistics such
as personnel relocation and
temporary housing are considered
Plan
development
factors
Developing Response
and Recovery Plans
• Available resources
• Expected services
levels
Recovery Strategies
Recovery strategies must be
sustainable for the entire period of
recovery until business processes
are restored to normal
• Doing nothing until recovery facilities are ready
• Using manual procedures / workarounds • Focusing on the most important customers,
suppliers, products, and systems with
Strategies
may
Recovery Strategies
• The ability to recover within
acceptable recovery times at
a reasonable cost
• Which recovery strategies are
available
Basis for
Recovery Strategy Selections
Response and recovery strategy plans should be
based on the following considerations:
• Interruption window
• RTOs
• RPOs
• Services delivery objectives (SDOs)
• Maximum tolerable outages (MTOs) / Maximum
Tolerable Period of Disruption (MTPD)
Disaster Recovery Sites
Types of offsite backup hardware
facilities available include:
• Hot sites
• Warm sites
• Cold sites
• Mobile sites
Disaster Recovery Sites cont.
Criteria for selecting alternate sites for
processing in the event of a disaster
include:
• The recovery site should not be subject to
the same disaster(s) as the primary site
• Availability of similar hardware /software
• Ability to move people and resources to
the recovery location
Recovery
of Communications
Recovery of IT facilities
involves
telecommunications
and network recovery
• Alternative / Diverse routing
• Long-haul network diversity
• Voice recovery
• Availability of appropriate circuits
and adequate bandwidth
• Availability of out-of-band
communications in case of failure
of primary communication
Notification Requirements
• Representatives of equipment and
software vendors
• Contacts within companies that
have been designated to provide
supplies and equipment or services
• Contacts at recovery facilities,
including hot-site representatives
or predefined network
communications rerouting services
Notification
Requirements cont.
Plan should include a call tree with a
prioritized list of
• Contacts at off-site media storage facilities
and the contacts within the company who are
authorized to retrieve media from the
off-site facility
• Insurance company agents
• Contacts at human resources (HR) and/or
contract personnel services
Response Teams
Number of teams depends upon
size of organization and magnitude
of operations - examples include:
• The emergency action team
• Damage assessment team
Insurance
Types of insurance coverage
• IT equipment and facilities
• Media (software) reconstruction
• Extra expense
• Business interruption
• Valuable papers and records
• Errors and omissions
• Fidelity coverage
Testing Response
and Recovery Plans
Testing must include:
• Developing test objectives
• Executing the test
• Evaluating the test
• Developing recommendations to improve the
effectiveness of testing processes as well as
response and recovery plans
Types of Tests
Tests can include:
• Desk check / Table-top walk-through of the plans
• Table-top walk-through with mock disaster
scenarios (simulation tests)
• Testing the infrastructure and communication
components of the recovery plan
• Testing the infrastructure and recovery of the
critical applications (parallel tests)
Test Results
The test should
strive to:
• Verify the completeness and
effectiveness of the response and recovery plans
• Evaluate the performance of the personnel involved in the exercise • Evaluate the coordination among the
team members and external vendors and suppliers
Test Results cont.
• Measure the ability and capacity of the backup site to perform required
processing
• Ensure vital records / data can be retrieved
• Evaluate the state and quantity of
equipment and supplies that have been relocated to the recovery site
• Measure the overall performance of operational and information systems related to maintaining the business entity
