CISM EXAM

PREPARATION

Domain 4

Information Security Incident

Management

1
Domain 4

Plan, establish and manage the capability to

detect, investigate, respond to and recover
from information security incidents to
minimize business impact.

Domain 4 (cont’d)

▪ This domain reviews the essential knowledge

necessary to establish an effective program to
respond to and subsequently manage incidents that
threaten an organization’s information systems and
infrastructure.

2
Domain Objectives

▪ Ensure that the CISM Candidate has the knowledge

necessary to:
– Identify, analyze, manage and respond effectively to
unexpected events that may adversely affect the
organization’s information assets and/or its ability to
operate.
– Identify the components of an incident response plan.
– Evaluate the effectiveness of an incident response plan.
– Understand the relationship between an incident response
plan, a disaster recovery plan and a business continuity
plan.

On the CISM Exam

▪ This domain represents 19% (approximately 28

questions) of the CISM exam

Domain 1:
Domain 4:
Information Security
Information Security
Governance, 24%
Incident
Management, 19%

Domain 3:
Information Security Domain 2:
Program Information Security
Development and Risk Management,
Management, 27% 30%

3
Domain 4 Overview

▪ Planning and Integration

▪ Readiness and Assessment
▪ Identification and Response

Refer to the CISM Job Practice

for Task and Knowledge
Statements.

Incident Response Concepts

▪ Incident handling involves:

– Detection and reporting
– Triage
– Analysis
– Incident response
▪ Effective incident management ensures that
incidents are detected, recorded and managed to
limit impacts.
▪ Incident response encompasses the planning,
coordination and execution of appropriate mitigation,
containment and recovery strategies and actions.
8

4
 Section One

Planning and Integration

Task Statements

▪ T4.1 Establish and maintain an organizational definition

of, and severity hierarchy for, information security
incidents to allow accurate classification and
categorization of and response to incidents.
▪ T4.2 Establish and maintain an incident response plan to
ensure an effective and timely response to information
security incidents.
▪ T4.8 Establish and maintain communication plans and
processes to manage communication with internal and
external entities.
▪ T4.10 Establish maintain integration among the incident
response plan, business continuity plan and disaster
recovery plan.

10

5
 Task to Knowledge Statements

How does Section One relate to each of the following

knowledge statements?
Knowledge Statement Connection
K4.1 The ideas behind incident response as a function of information
risk management inform and influence the design of the
program.
K4.2 Significant experience over time has normalized a basic
standard for incident response planning.
K4.3 Incident response activities may be linked to broader activities
for business continuity and disaster recovery.
K4.4 How incidents are evaluated and classified has implications for
procedures and trend analysis.
K4.5 An understanding of the ways in which the impact of incidents
may be contained helps ensure an effective, comprehensive
approach to incident response.

11

Task to Knowledge Statements

How does Section One relate to each of the following

knowledge statements?
Knowledge Statement Connection
K4.6 Incidents can move quickly, and having clear thresholds for
notification and escalation helps to get the right people involved
at the right time.
K4.7 Knowing what functions need to be completed and who is doing
them is important in avoiding gaps in planning and execution.

K4.9 Special considerations apply to collecting and storing data and

equipment that may be needed as evidence in a court of law.

K4.10 In addition to organizational requirements, law and regulation

may mandate reporting under certain circumstances.

K4.16 Regular, realistic evaluation and testing of response plans is

important to their being ready for use when needed.

12

6
 Key Terms

Key Term Definition

Computer forensics The application of the scientific method to digital media to establish
factual information for judicial review.
Event Something that happens at a specific place and/or time.

Gap analysis A method of assessing the differences in performance between the

current state of operations, systems, etc., as compared with the
desired state, resulting in a plan to close any “gaps” discovered.

Incident Any event that is not part of the standard operation of a service and
that causes, or may cause, an interruption to, or a reduction in, the
quality of that service.

Incident management A specific group of people who determines how to manage incidents.
team
Incident response team A group of people who prepare for and respond to any emergency
incident

13

Key Terms

Key Term Definition

Maximum allowable The absolute longest amount of time that the system can be
downtime unavailable without direct or indirect ramifications to the organization.

Maximum tolerable Maximum time that an enterprise can support processing in alternate
outage mode.
Recovery point objective Determined based on the acceptable data loss in case of a disruption
of operations. It indicates the earliest point in time that is acceptable
to recover the data. The RPO effectively quantifies the permissible
amount of data loss in case of interruption.

Recovery time objective The amount of time allowed for the recovery of a business function or
resource after a disaster occurs.
Service delivery Directly related to the business needs, SDO is the level of services to
objective be reached during the alternate process mode until the normal
situation is restored.

See www.isaca.org/glossary for more key terms.

14

7
 Management and Response

▪ Incident management is a subset of risk

management.
▪ The goals of incident management are to:
– Contain disruptive impact to manageable levels
– Restore normal operations within acceptable time frames
▪ Incident management is driven by risk appetite.
▪ Incident response encompasses the operational
capabilities of incident management.

15

Incident Classification

▪ Classifying incidents:
– Enables an appropriate
response for each incident
– Improves cost effectiveness
– Makes it easier to design
detective controls
▪ Incident are classified
according to causes/effects

16

8
 Discussion Question

▪ What are some types of information security incidents?

17

Common Incident Types

▪ Malicious code attacks

▪ Unauthorized access to IT or information sources
▪ Unauthorized use of services
▪ Unauthorized changes to systems, network devices
or information
▪ DoS/DDoS attacks
▪ Surveillance and espionage
▪ Hoaxes/social engineering
▪ Physical disruption

18

9
 The Incident Response Plan

Preparation Identification Containment

Eradication Recovery Assessment

19

The Planning Process

▪ Knowing the organization’s risk appetite and goals is

the first step:
– Determine how your organization defines “acceptable”
incident response.
– Analyze gap between current and desired capabilities.
– Build a plan to close the gap using good practices.
▪ Be sure to take needed resources into account.
▪ Use clear language to avoid confusion.

20

10
 Incident Response Teams

▪ Pre-designated IRTs help to

quickly assemble people with
useful skills.
– Depending on the incident,
specialized skills may be
needed.
▪ IRTs may be centralized,
distributed or a hybrid model.
▪ IRT structure should be
reviewed and approved by
senior management

21

Incident Response Team Organization

▪ Central IRT: A single IRT handles all incidents

▪ Distributed IRT: Each of several teams is responsible
for a logical or physical segment of the infrastructure
▪ Coordinating IRT: A central team provides guidance
to distributed IRTs, develops policies and standards,
provides training and exercises and coordinates
response
▪ Outsourced IRT: Some or part of the IRT may be
outsourced to a third party

22

11
 Team Composition

▪ A typical IRT includes:

– Information security manager
– Steering committee/advisory board (governance position only)
– Permanent/dedicated team members
– Virtual/temporary team members
▪ Other positions include:
– Incident response manager
– Incident handler
– Investigator
– IT security specialists
– IT specialists/representatives
– Business managers
– Legal, HR, PR
– Risk management specialist
– Physical security/facilities manager
23

Good to Know

▪ Some organizations may have a designated incident

management team (IMT) that determines how to manage
incidents and is separate from the IRT. In other organizations,
the IMT and IRT may be the same group of people. For the
purposes of this course, IMT will be differentiated when
necessary, but in many cases, the IRT will perform these
duties.

24

12
 Incident Response Technology Concepts

▪ Security principles (CIA triad, nonrepudiation)

▪ Risk concepts (vulnerability, impact, etc.)
▪ Networking protocols and devices
▪ Operating systems (configuration, common attack
methods, review logs, etc.)
▪ Malicious code (viruses, worms, Trojan horses,
APTs)
▪ Development (including programming languages)

25

Skills

• • Technical
Personal Skills

Technical Skills

Communication
• Writing skills foundation skills
• Leadership • Incident-handling
• Presentation skills skills
• Team building
• Problem solving
• Time
management

26

13
 Multi-disciplinary Teams

▪ Incidents extend beyond

information systems.
– Fire, power outages or natural
disasters can affect the entire
organization.
– Other incidents may involve
legal, privacy, HR, etc.
▪ A permanent spot on the IRT
may not be needed, but a
point of contact is helpful.

27

Good to Know

▪ Staff turnover is a persistent threat to incident response plans,

and it can be especially hard to keep track of who should be
the points of contact for support functions outside of IT and
information security. If the IRT needs to contact one of these
groups, it will be time sensitive, so review the contact
information for everyone listed in the incident response plan
on a regular basis and validate that these are still the correct
people to have included in the plan.

28

14
 Current State of Incident Response

▪ Identify what is already in

place for incident response
– Surveys
– Self assessment
– External assessment
▪ Identify trends, events and
impacts
▪ Perform a gap analysis to
determine resources needed
or areas of improvement

29

Forensics

▪ Forensics refers to the gathering of evidence.

▪ Prosecution is an option if evidence is collected and
stored properly.
– Many containment and eradication methods may prevent
proper evidence collection.
– Inadequate documentation can lead to issues.
▪ Brainstorm scenarios that might require forensic
analysis and write them into the plan.
▪ Identify types of forensics that can be handled
internally vs. using third-party experts.

30

15
 Communication

▪ Developing communications
during an incident takes time
away from other time-critical
activities.
▪ Messaging criteria can differ
depending on the incident.
▪ Templates can help to make
communication easier and
faster.

31

Response and Continuity

▪ Business continuity plans (BCPs) document the

ways business processes can resume if the usual
way is interrupted.
▪ BCPs are often activated alongside incident
response activities.
▪ BCPs include critical factors:
– RTO
– RPO
– SDO
– MTO

32

16
 Quality-associated Factors

▪ Recovery point objective:

– The “last known good” point to which data must be
restored in the event data has been affected
▪ Service delivery objective:
– An indicator of the degree of recovery that is “good
enough” for normal operations within a given process to
resume
▪ Recovery that does not meet RPO/SDO thresholds is
not complete and may require workarounds.

33

Time-associated Factors

▪ Recovery time objective:

– The target time to resume an acceptable level of
operations
– Recovery that takes longer than an RTO likely impacts the
organization at tolerable levels.
▪ Maximum tolerable outage
– The time at which workarounds cease to be adequate to
sustain operations
– Recovery that exceeds the MTO is outside the tolerable
threshold and may threaten the organization’s survival.

34

17
 Response and Recovery

▪ Recovery is specific to the

affected systems or data.
▪ After a major disruption,
recovery activities may be
more pronounced.
▪ Disaster recovery
documents the strategy
and specific activities
needed to recover IT
capabilities in the case of
a major loss.

35

Types of Recovery Capacity

▪ Mirror site: An alternate site that contains the same

information as the original
– Configured for high availability
▪ Hot site: A fully operational offsite data processing
facility equipped with both hardware and system software
to be used in the event of a disaster
▪ Warm site: Similar to a hot site but not fully equipped
with all of the necessary hardware needed for recovery
▪ Cold site: An IS backup facility that has the necessary
electrical and physical components of a computer facility,
but does not have the computer equipment in place

36

18
 Discussion Question

▪ Which of the following types of recovery capacity would the

following businesses most likely chose and why?
– Credit card processor
– Sculpture gallery
– Local credit union

37

Discussion Question: Answers

▪ Credit card processor

– Mirror site: Credit cards are used at all hours of the day
around the world and any downtime may result in rejected
transactions, with potentially dire impact on reputation and
market share.
▪ Sculpture gallery
– Cold site: Information systems most likely have a minor
effect on the business’s operations.
▪ Local credit union
– Warm site: An interruption to certain operations pending
recovery would likely be acceptable to members in the
event of a disaster.

38

19
 Plan Integration

▪ Response, continuity and

recovery often leverage the
same resources and staff.
▪ Recovery often waits until Response
eradication in complete, but it
may be possible to restore IT
capabilities at an alternate
site.
▪ Integrating the incident Recovery Continuity
response plan with the BCP
and DRP can help to identify
overlap.

39

Management Support

▪ Building the capabilities needed to manage the

information risk associated with incidents requires
time, commitment and resources.
▪ Having senior management commitment lends
credibility to the program and increase awareness.
– A business case can be used to demonstrate the cost
effectiveness of having an incident management and
response program.

40

20
 Questions

41

In the Big Picture

• Any event can turn into

• Having a plan that clearly
Section One
Planning and Integration
an incident of
unpredictable scope and
severity.
establishes to categorize
incidents, who to involve
and how to integrate
activities with continuity
and recovery functions
helps manage risk.

42

21
 Section One

Practice Questions

Practice Question

Which of the following should be determined FIRST when

establishing a business continuity program?

A. Cost to rebuild information processing facilities

B. Incremental daily cost of the unavailability of systems
C. Location and cost of offsite recovery facilities
D. Composition and mission of individual recovery teams

44

22
 Practice Question

Which of the following choices should be assessed after the

likelihood of a loss event has been determined?

A. The magnitude of impact

B. Risk tolerance
C. The replacement cost of assets
D. The book value of assets

45

Practice Question

Which of the following is MOST important when deciding

whether to build an alternate facility or subscribe to a third-party
hot site?

A. Cost to build a redundant processing facility and location

B. Daily cost of losing critical systems and recovery time
objectives
C. Infrastructure complexity and system sensitivity
D. Criticality results from the business impact analysis

46

23
 Practice Question

Which of the following is the FIRST step in developing an

incident response plan?

A. Set the minimum time required to respond to incidents.

B. Establish a process to report incidents to senior
management.
C. Ensure the availability of skilled resources.
D. Categorize incidents based on likelihood and impact.

47

Section Two

Readiness and Assessment

24
 Task Statements

▪ T4.6 Organize, train and equip incident response

teams to respond to information security incidents in
an effective and timely manner.
▪ T4.7 Test, review and revise (as applicable) the
incident response plan periodically to ensure an
effective response to information security incidents
and to improve response capabilities

49

Task to Knowledge Statements

How does Section Two relate to each of the following

knowledge statements?
Knowledge Statement Connection
K4.7 Knowing what functions need to be completed and who is doing
them is important in avoiding gaps in planning and execution.

K4.8 An effective incident response program requires appropriate

preparation and resources.
K4.9 Special considerations apply to collecting and storing data and
equipment that may be needed as evidence in a court of law.

K4.11 Identifying and addressing the underlying cause of symptoms is

essential to effective information risk management.

50

25
 Task to Knowledge Statements

How does Section Two relate to each of the following

knowledge statements?
Knowledge Statement Connection
K4.14 Plans are most effective when they take into account all of the
resources available to the organizations, including those
provided externally.
K4.16 Regular, realistic evaluation and testing of response plans is
important to their being ready for use when needed.
K4.18 Organizations need objective methods of measuring the
effectiveness of their plans as a basis for refinement

51

Key Terms

Key Term Definition

Full interruption test A test where operations are shut down at the primary site and
shifted to the recovery site in accordance with the recovery
plan
Full operational test A test where the plan is completely executed short of an
actual service disruption
Parallel test A test where the recovery site is brought to a state of
operational readiness, but operations at the primary site
continue normally
Preparedness test A localized version of a full test where actual resources are
expended in a simulation of a system crash
Simulation test A test where the team role-plays a prepared scenario
Walk-through A thorough demonstration or explanation that details each
step of a process

See www.isaca.org/glossary for more key terms.

52

26
 Training

▪ Incident response needs to be

practiced in order to be
executed quickly.
▪ Focus training on criteria and
standards to promote creative
thinking with in the
framework.
▪ Use skills assessments to
ensure that the IRT includes
all necessary skillsets.

53

The Role of Testing

▪ Testing increases the likelihood that a plan will work by:

– Assessing the technical soundness of the plan
– Increasing each participant’s familiarity with the plan
▪ Testing uses time and resources, so objectives and
criteria should be clear.
▪ Focus on:
– Identifying gaps
– Verifying assumptions
– Validating timelines
– Determining the effectiveness of strategies
– Evaluating the performance of personnel
– Determining the accuracy an currency of plan information

54

27
 Testing Considerations

▪ Test response plans on a regular basis.

– At least annually
▪ Prior to each test:
– Take steps to limit the risk of disruption.
– Ensure that business managers understand and accept the
residual risk.
– Verify that fallback arrangements exist to restore
operations at any point during the test if necessary.

55

Types of Tests
▪ Checklist review: Recovery
checklists are reviewed to ensure
they are current.
▪ Structured walkthrough: Team
members physically implement that
plans on paper and review each
step.
▪ Simulation test: The IRT role-plays a
prepared disaster scenarios without
activating the recovery site.
▪ Parallel test: The recovery site is
brought to a state of operational
readiness, but the primary site
continues as normal.
▪ Full interruption test: Operations are
shut down at the primary site and
shifted to the recovery site.

56

28
 Testing Progression

Testing
infrastructure,
Testing critical
infrastructure and applications and
recovery of end user
Testing critical involvement
infrastructure and applications
communication

Table-top
walkthrough
with disaster
scenarios

Table-top
walkthrough
of plans

57

Testing Categories

▪ Paper tests: On-paper walkthroughs to increase

awareness
▪ Preparedness tests: Live rehearsals on real systems
in order to identify deficiencies
▪ Full operational tests: Mimic real-world conditions,
but are not quite an actual interruption

58

29
 Good to Know

▪ Despite the inherent value of using a surprise, realistic

exercise to assess your incident response program,
unannounced full operational tests are rare. That’s because
they tend to be expensive, not only in terms of time and
resources devoted to the test but also lost productivity and
potential impact to real-world systems that might be targeted.
▪ Even in the event of a truly unannounced exercised, key
people within the organization need to know that what is
happening is an evaluation. The greater the potential impact
of an exercise, the higher the level at which it must be
approved, and something that risks operations needs
approval from the top.

59

Testing Phases

Pretest Test Posttest

Set the Actual Cleanup of
stage for operational group
the actual activities activities is
test are performed
executed
to test
specific
objectives

60

30
 Evaluation Criteria
▪ Evaluation criteria is depend on
the type of test:
– Paper tests focus on process.
– Tests involving real systems
should balance process with
demonstrated outcomes.
▪ Testing can be used to highlight
the importance of following
procedures and document skills
of the IRT.
▪ An independent third party
should monitor and evaluate the
test.
▪ Make note of procedures that did
not work.

61

The Importance of Procedures

▪ As people become familiar with the plan, they will

begin to anticipate the steps of the process.
▪ In incident response, a structured approach must be
followed.
▪ Discourage working from memory, documenting
activities solely as a formality, etc.
▪ Reinforce this behavior with refresher training and
checklists.

62

31
 Questions

63

In the Big Picture

• Training and testing help

improve performance during
responses to real-world
incidents by building
familiarity and offering
Section Two opportunities to identify and
correct deficiencies in a plan.
Readiness and Assessment • Testing should be monitored
and evaluated by an
independent third party to
ensure objectivity.

64

32
 Section Two

Practice Questions

Practice Question

Observations made by staff during a disaster recovery test are

PRIMARILY reviewed to:

A. identify people who have not followed the process.

B. determine lessons learned.
C. identify equipment that is needed.
D. maintain evidence of review.

66

33
 Practice Question

Different types of tests exist for testing the effectiveness of

recovery plans. Which of the following choices occurs during a
parallel test that does not occur during a simulation test?

A. The team members step through the individual recovery

tasks.
B. The primary site operations are interrupted.
C. A fictitious scenario is used for the test.
D. The recovery site is brought to operational readiness.

67

Practice Question

In a large organization, effective management of security

incidents will be MOST dependent on:

A. clear policies detailing incident severity levels.

B. broadly dispersed intrusion detection capabilities.
C. training employees to recognize security incidents.
D. effective communication and reporting processes.

68

34
 Practice Question

Which of the following functions is responsible for determining

the members of the enterprise’s response teams?

A. Governance
B. Risk management
C. Compliance
D. Information security

69

Section Three

Identification and Response

35
 Task Statements
▪ T4.3 Develop and implement processes to ensure the
timely identification of information security incidents that
could impact the business.
▪ T4.4 Establish and maintain incident notification and
escalation processes to ensure that the appropriate
stakeholders are involved in incident response
management.
▪ T4.5 Establish and maintain incident notification and
escalation processes to ensure that the appropriate
stakeholders are involved in incident response
management.
▪ T4.9 Conduct post-incident reviews to determine the root
cause of information security incidents, develop
corrective actions, reassess risk, evaluate response
effectiveness and take appropriate remedial actions.
71

Task to Knowledge Statements

How does Section Three relate to each of the following

knowledge statements?
Knowledge Statement Connection
K4.1 The ideas behind incident response as a function of information risk
management inform and influence the design of the program.

K4.2 Significant experience over time has normalized a basic standard for
incident response planning.

K4.3 Incident response activities may be linked to broader activities for

business continuity and disaster recovery.

K4.4 How incidents are evaluated and classified has implications for
procedures and trend analysis.

K4.6 Incidents can move quickly, and having clear thresholds for notification
and escalation helps to get the right people involved at the right time.

K4.7 Knowing what functions need to be completed and who is doing them is
important in avoiding gaps in planning and execution.

72

36
 Task to Knowledge Statements

How does Section Three relate to each of the following

knowledge statements?
Knowledge Statement Connection
K4.8 An effective incident response program requires appropriate
preparation and resources.
K4.9 Special considerations apply to collecting and storing data and
equipment that may be needed as evidence in a court of law.

K4.10 In addition to organizational requirements, laws and regulations

may mandate reporting under certain circumstances.

K4.11 Identifying and addressing the underlying cause of symptoms is

essential to effective information risk management.

K4.12 Having the right methods of estimating cost, damage and

business impact for particular circumstances makes these
activities more effective.

73

Task to Knowledge Statements

How does Section Three relate to each of the following

knowledge statements?
Knowledge Statement Connection
K4.13 Numerous methods exist to facilitate the gathering an evaluation
of data relating to incident response.
K4.14 Plans are most effective when they take into account all of the
resources available to the organization, including those provided
externally.
K4.15 Adjustments to the information systems environment made
during response activities need to be evaluated for security
implications.
K4.17 Plans and procedures should take into account all requirements
imposed from within and outside the organization.

K4.18 Organizations need objective methods of measuring the

effectiveness of their plans as a basis for refinement.

74

37
 Key Terms

Key Term Definition

Business impact analysis A process to determine the impact of losing the support of any
resource.
Chain of custody A legal principle regarding the validity and integrity of evidence. It
requires accountability for anything that will be used as evidence in a
legal proceeding to ensure that it can be accounted for from the time
it was collected until the time it is presented in a court of law.

Escalation Increasing the scope and intensity of response activities, usually

through notification of higher-level staff within an organization and
the addition of resources.

See www.isaca.org/glossary for more key terms.

75

Key Terms
Key Term Definition
Intrusion detection Inspects network and host security activity to identify suspicious
system patterns that may indicate a network or system attack.

Intrusion prevention A system designed to not only detect attacks, but also to prevent the
system intended victim hosts from being affected by the attacks.

Root cause The underlying reason an incident happened

Triage The process of sorting, categorizing, and prioritizing
events/items

See www.isaca.org/glossary for more key terms.

76

38
 Effectiveness and Efficiency

▪ An incident response plan

should be effective and
efficient.
– Do as much as is needed to
manage the risk.
– Do as little as possible beyond
what is needed to manage a
risk.
▪ The key is knowing what is
reasonably likely for a given
event.

77

Incident Management Systems

Distributed incident Centralized incident

management management
systems systems
• Consist of multiple • Pull together data
specific incident from distinct
detection capabilities for
capabilities common analysis
• Example: IDS • Example: SIEM
(network- and
host-based)
78

39
 SIEM

▪ An effective SIEM will:

– Consolidate and correlate inputs from multiple systems
– Identify incidents or potential incidents
– Notify staff
– Prioritize incidents based on business impact
– Track incidents until they are closed
– Provide status tracking and notifications
– Integrate with major IT management systems
– Implement good practices guidelines

79

Incident Management
System Considerations
▪ Some considerations for incident management
systems include:
– Operating costs: In the absence of an automated incident
management system, staff must perform these tasks
manually. Training and maintenance costs are higher, and
the risk of human error is higher.
– Recovery costs: An automated system can detect and
escalate incidents faster than a manual process, reducing
further damage.

80

40
 Manual Reporting

▪ Many incidents are initially

detected and reported
manually.
▪ Incidents reported to the
Help/Service Desk many be a
network intrusion or malware.
▪ Defining escalation criteria
and improving awareness can
help front-line staff identify
events.

81

Notification

▪ Time is of the essence.

▪ Incident response procedures should clearly identify
who needs to be notified and the best ways to
contact them.
▪ Notification activities are only effective if people
understand their responsibilities and perform them
efficiently.

82

41
 Investigation

▪ For each event type, the incident response plan

should have:
– A clear series of steps for the initial investigation
– Time estimates for how long each step should take
– Who should perform the step (by role)
▪ A structured approach is important.

83

Triage

▪ Triage: A process of sorting, categorizing, prioritizing

and assigning incoming reports/events
▪ Typically three categories:
– Problems that cannot be readily resolved
– Problems that can wait
– Problems that can be efficiently address with available
resources
▪ Use BIAs and recovery plans to guide this process.

84

42
 Escalation

▪ Investigation will often determine no need for further

action and initiate the “end of the emergency.”
▪ Escalate an incident whenever a cause for concern
is uncovered OR the timeframe for completing a task
is exceed.
▪ The incident response plan should identify people to
be notified along with the new steps to complete the
ongoing response.

85

External Notification

▪ Some events may necessitate

communication to people
outside the organization.
▪ Failure to comply with
requirements for
communication can result in
penalties.
▪ Consult with legal, HR, etc. to
ensure that the right people
are informed.

86

43
 Preserving/Collecting Evidence

▪ Two opinions on how to preserve evidence on an

affected system:
– Cut power to preserve temporary storage files
– Keep power on to avoid losing malware/file corruption
▪ Analysis should be performed on a copy of a
system’s storage drives.
▪ Making a bit-level copy using a write-protect diode
and comparing hashes can help to establish the
validity of the investigation.

87

Documentation

▪ Accurate records of an incident as it unfolds are

useful.
– Clear timelines can identify root cause.
– Undocumented changes may introduce risks.
– An unbroken chain of custody preserves evidence.
▪ Standardized forms help ensure the right information
is recorded.

88

44
 Post-incident Review

▪ Take time to review what

happened and why:
– Opportunities for improvement in
the plan
– Lessons learned
– Calculate the cost of the incident
▪ Use a consistent approach
and capture information while
it is still fresh.

89

Root Cause Analysis

▪ Without identifying the root cause of an incident, similar

incidents may continue to occur.
▪ Answer the following questions:
– Who is involved?
– What has happened?
– Where did the attack originate?
– When (what time frame)?
– Why did it happen?
– How was the system vulnerable or how did the attack occur?
– What was the reason for the attack (i.e., the perpetrator’s
motivation)?
▪ Develop recommendations to address the root cause
using a risk-based approach.

90

45
 Discussion Question

▪ An outsider has gained network access using the credentials

of an unsuspecting insider.
▪ What are some possible root causes?

91

Good to Know

▪ “Addressing” a root cause does not necessarily mean “fixing”

it. The post-incident review is part of the overall program for
managing information risk, and any corrective actions
proposed as a result of the review should reflect a risk-based
approach. If the cost of mitigating a vulnerability is higher than
its potential impact, accepting the risk or transferring it
through a third-party agreement may be preferable.

92

46
 Questions

93

In the Big Picture

• When an incident occurs,

Section Three
Identification and Response
time is of the essence, but
documentation is a critical
part of the process that helps
to identify root causes.
• Unless root causes are
identified, similar incidents
are likely to occur in the
future despite any actions
taken to correct symptoms.

94

47
 Section Three

Practice Questions

Practice Question

In the course of examining a computer system for forensic

evidence, data on the suspect media were inadvertently altered.
Which of the following should have been the FIRST course of
action in the investigative process?

A. Perform a backup of the suspect media to new media.

B. Create a bit-by-bit image of the original media source onto
new media.
C. Make a copy of all files that are relevant to the investigation.
D. Run an error-checking program on all logical drives to ensure
that there are no disk errors.

96

48
 Practice Question

Which of the following is the MOST important consideration for

an organization interacting with the media during a disaster?

A. Communicating specially drafted messages by an authorized

person
B. Refusing to comment until recovery
C. Referring the media to the authorities
D. Reporting the losses and recovery strategy to the media

97

Practice Question

Which of the following actions should be taken when an online

trading company discovers a network attack in progress?

A. Shut off all network access points

B. Dump all event logs to removable media
C. Isolate the affected network segment
D. Enable trace logging on all events

98

49
 Practice Question

Which of the following choices is the BEST input for the

definition of escalation guidelines?

A. Risk management issues

B. A risk and impact analysis
C. Assurance review reports
D. The effectiveness of resources

99

Domain 4

Summary

50
 Summary

▪ Incident management, a subset of risk management,

aims to contain the disruptive impact of an incident
and restore normal operations.
▪ Incidents are often classified in order to better tailor
response activities and efforts.
▪ Incident response teams pull together necessary
resources to quickly respond to incidents and
generally extend beyond the IT department.
▪ Standardized templates should be used where
possible to ensure consistency and expedite
activities.

101

Summary

▪ Business continuity and incident response work

together to ensure operations can continue and be
recovered effectively and efficiently.
▪ Test the incident response to gain confidence that it
will work as expected.
▪ Perform testing regularly and in ways designed to
reduce the risk of unexpected disruptions to normal
operations.
▪ Use test results to improve the plan and provide
education and training to IRT members.

102

51
 Summary

▪ Incident management systems may help to identify

and contain incidents at their initial stages.
▪ The incident response plan should include clear
steps for incident investigation and criteria for
escalation.
▪ Take preservation of evidence into account as part of
the plan.
▪ Use post-incident reviews to identify the root causes
of incidents and address them on the basis of risk.

103

52