Marc Vael, profile picture
Uploaded byMarc Vael
PPT, PDF2,030 views

ISACA Belgium CERT view 2011

The document discusses the key responsibilities of a CISO regarding incident management and response. It outlines establishing processes for detecting, identifying, analyzing and responding to security incidents. This includes developing escalation processes, response plans, and integrating response plans with business continuity and disaster recovery plans. It also discusses organizing incident response teams, conducting testing and reviews to improve effectiveness.

Embed presentation

Downloaded 174 times
Incident Management and Response
CISO Tasks Develop & implement processes for detecting, identifying, analyzing and responding to information security incidents Establish escalation & communication processes & lines of authority Develop plans to respond to & document information security incidents Establish capability to investigate information security incidents Develop process to communicate with internal parties & external organizations Integrate information security incident response plans with disaster recovery (DRP) & business continuity plan (BCP) Organize, train, equip teams to respond to information security incidents Periodically test & refine information security incident response plans Manage response to information security incidents Conduct reviews to identify causes of information security incidents, develop corrective actions & reassess risk
Definition What is incident management and response? Incident management is the capability to effectively manage unexpected disruptive events with the objective of minimizing impacts and maintaining or restoring normal operations within defined time limits Incident response is the operational capability of incident management that identifies, prepares for and responds to incidents to control and limit damage; provide forensic and investigative capabilities; and maintain, recover and restore normal operations as defined in service level agreements (SLAs).
Incident Management and Response Overview Purpose = manage impact of unexpected disruptive events to acceptable levels Possible disruptions may be Technical Physical Environmental Any type of incident that can significantly affect organization’s ability to operate or that may cause damage must be considered by the CISO
Outcomes of Incident Management and Response Outcomes of good incident management & response include organization that Can deal effectively with unanticipated events Has sufficient detection & monitoring capabilities Has well defined severity & declaration criteria as well as defined escalation & notification processes Has response capabilities that demonstrably support business strategy Proactively manages risks of incidents appropriately Periodically tests its capabilities Provides monitoring & metrics to gauge performance of incident management & response capabilities
Scope & Charter of Incident Management Scope/charter document Formally establishes IMT Documents its responsibility to manage & respond to security incidents Sections of charter should include: Mission Scope Organizational structure Information flow Services provided
Responsibilities Incident response goals include: Containing effects of incident ( damage & losses do not escalate out of control) Notifying appropriate people for purpose of recovery or to provide needed information Recovering quickly & efficiently from security incidents Minimizing impact of info security incident Responding systematically & decreasing likelihood of recurrence Balancing operational & security processes Dealing with legal & law enforcement-related issues
Senior Management Commitment Senior management is critical to success of incident management & response Incident management & response Is component of risk management Needs same level of support from senior management
Desired State Incident management & response requires: Well-developed monitoring capabilities for key controls Personnel trained in assessing situation, capable of providing triage, managing effective responses Managers that have made provisions to capture all relevant information & apply previously learned lessons Managers who Know when disaster is imminent Have well-defined criteria Have experience, knowledge, and authority to invoke disaster recovery processes necessary to maintain or recover operational status
Challenges in Developing an Incident Management Plan Challenges may be result of Lack of management buy-in & organizational consensus Mismatch to organizational goals & structure IMT member turnover Lack of communication process Complex & wide plan
Policies and Standards Documented set of incident response policies, standards and procedures is important to: Ensure incident management activities are aligned to IMT mission Set correct expectations Provide guidance for operational needs Maintain consistency & reliability of services
Personnel IMT usually consists of CISO (who usually leads the team) Steering committee/advisory board Permanent/dedicated team members Virtual/temporary team members Composition of incident response staff will vary from team-to-team & will depend on number of factors such as: Mission & goals of incident response program Nature & range of services offered Available staff expertise Constituency size & technology base Anticipated incident load Severity or complexity of incident reports Funding
Roles and Responsibilities
Roles and Responsibilities (continued)
Roles and Responsibilities (continued)
Skills Basic skills for incident response team members can be separated into 2 groups: Personal skills Communication Presentation skills Ability to follow policies and procedures Team skills Integrity Self understanding Coping with stress Problem solving Time management Technical skills Technical foundation skills—Require basic understanding of underlying technologies used by organization Incident handling skills—Require understanding of techniques, decision points & supporting tools required in daily activities
Current State of Incident Response Capability Ways to identify current state of incident response capability include: Survey of senior management, business managers and IT representatives Self-assessment External assessment or audit
History of Incidents Past incidents provide valuable information on trends, types and business impacts Can be used as input for assessment of IMT’s performance Used as input to assessment of types of incidents that must be considered & planned for
Risk Tolerance Risk tolerance = same as acceptable risk which must be determined by management CISO should be aware that incident management also includes BCP & DRP Overall response management = combination of BCP, DRP, continuity of business operations and incident response
Integrating a BIA Into Incident Response CISO needs to Oversee development of response & recovery plans* to ensure they are properly designed & implemented Ensure resources required to continue business are identified & recorded Identify & validate response and recovery strategies Obtain senior management approval of strategies Oversee development of comprehensive response & recovery plans * Should be based on BIA
Integrating RTO & RPO Into Incident Response RTO = amount of time allowed for recovery of business function or resource after disaster occurs Effective incident management = includes resolving incidents with acceptable interruption window (AIW) RPO = measurement of point prior to outage to which data are to be restored Describes state of recovery that should be achieved to facilitate acceptable outcomes
Elements of an Incident Response Plan CIAC & SANS Institute propose following incident response phases: Preparation Identification Containment Eradication Recovery Lessons learned
Elements of an Incident Response Plan Preparation —prepares organization to develop incident response plan prior to incident. Sufficient preparation facilitates smooth execution. Activities: Establishing approach to handle incidents Establishing policy & warning banners in information systems to deter intruders & allow information collection Establishing communication plan to stakeholders Developing criteria on when to report incident to authorities Developing process to activate incident management team Establishing secure location to execute incident response plan Ensuring equipment needed is available
Elements of an Incident Response Plan Identification —aims to verify if incident has happened & find out more details about incident. Reports on possible incidents may come from information systems, end users or other organizations. Not all reports are valid incidents, as they may be false alarms or may not qualify as incident. Activities: Assigning ownership of incident or potential incident to incident handler Verifying reports or events qualify as incident Establishing chain of custody during identification when handling potential evidence Determining severity of incident & escalating it as necessary
Elements of an Incident Response Plan Containment —After incident has been identified & confirmed, IMT is activated & information from incident handler is shared. Team will conduct detailed assessment & contact system owner or business manager of the affected information systems/assets to coordinate further action. The action taken is to limit the exposure. Activities: Activating incident management/response team to contain incident Notifying appropriate stakeholders affected by incident Obtaining agreement on actions taken that may affect availability of a service or risks of the containment process Getting IT representative & relevant virtual team members involved to implement containment procedures Obtaining & preserving evidence Documenting & taking backups of actions from this phase onward Controlling & managing communication to public by PR team
Elements of an Incident Response Plan Eradication —When containment measures have been deployed, it is time to determine root cause of incident & eradicate it. Eradication can be done in number of ways: restoring backups to achieve clean state of system, removing root cause, improving defenses & performing vulnerability analysis to find further potential damage from same root cause. Activities: Determining signs & cause of incidents Locating most recent version of backups or alternative solutions Removing root cause. In event of worm or virus infection, it can be removed by deploying appropriate patches & updated antivirus software. Improving defenses by implementing protection techniques Performing vulnerability analysis to find new vulnerabilities introduced by root cause
Elements of an Incident Response Plan Recovery —ensures affected systems or services are restored to condition specified in RPO. The time constraint is documented in RTO. Activities: Restoring operations to normal Validating that actions taken on restored systems were successful Getting involvement of system owners to test system Facilitating system owners to declare normal operation
Elements of an Incident Response Plan Lessons learned At end of incident response process, report should always be developed to share what has happened, what measures were taken & results after plan was executed. Part of report should contain lessons learned that provide IMT & other stakeholders valuable learning points of what could have been done better. These lessons should be developed into plan to enhance incident management capability & documentation of incident response plan. Activities: Writing incident report Analyzing issues encountered during incident response efforts Proposing improvement based on issues encountered Presenting report to relevant stakeholders
Organizing, Training and Equipping the Response Staff Every IMT member should get following training: Induction to IMT—basic information about the team and its operations Mentoring re. team’s roles, responsibilities and procedures On the job training Formal training
Recovery Planning and Business Recovery Processes DRP is traditionally defined as recovery of IT systems when disastrous events BCP is defined as recovery of critical business processes necessary to continue or resume operations. Each of these planning processes typically includes several main phases, including: Risk & business impact assessment Response & recovery strategy definition Documenting response & recovery plans Training that covers response a&recovery procedures Updating response & recovery plans Testing response & recovery plans Auditing response & recovery plans
Recovery Strategies Most appropriate strategy = one that demonstrably addresses probable events with acceptable recovery times at a reasonable cost Development of incident management & response plan = difficult & expensive process that may take considerable time development of several alternative strategies prudent to consider outsourcing some or all of the needed capabilities
Incident Management and Response Teams Number of teams depends upon size of organization & magnitude of operations - examples include: Emergency action team Damage assessment team Emergency management team Relocation team Security team
Notification Requirements Plan should include call tree with prioritized list of contacts Representatives of equipment & software vendors Contacts within companies have been designated to provide supplies & equipment or services Contacts at recovery facilities, including hot site representatives or predefined network communications rerouting services Contacts at offsite media storage facilities & contacts within company who are authorized to retrieve media from offsite facility Insurance company agents Contacts at human resources (HR) & contract personnel services Law enforcement contacts
Periodic Testing of the Response and Recovery Plans Testing must include: Developing test objectives Executing test Evaluating test Developing recommendations to improve effectiveness of testing processes as well as response & recovery plans Implementing follow-up process to ensure recommendations are implemented
Testing for Infrastructure and Critical Business Applications After test objectives have been defined, CISO must: Ensure independent third party observer is present to monitor & evaluate the test  Implement tracking process to ensure any recommendations resulting from testing are implemented in timely fashion Know about disaster recovery testing for infrastructure & critical business applications
Type of Tests Tests that are progressively more challenging: Table-top walk-through of plans Table-top walk-through with mock disaster scenarios Testing infrastructure & communication components of plan Testing infrastructure & recovery of critical applications Testing infrastructure, critical applications & involvement of end users Full restoration & recovery tests with some personnel unfamiliar with systems Surprise tests
Ensuring Execution as Required Facilitator or director* is needed to Direct tasks within plans Oversee plan execution Liaise with senior management Make decisions as necessary Defining appropriate recovery strategies & alternatives is important in overall process * - The CISO often serves as facilitator
Establishing Procedures If an incident occurs: Information security staff needs documented procedures so that information can be properly recorded and preserved CISO should develop data/evidence preservation procedures Information systems staff must understand basic procedures, including taking no action that could change/modify/contaminate potential or actual evidence Initial response by system administrator should include: Retrieving information needed to confirm incident Identifying scope & size of affected environment (e.g., networks, systems, applications) Determining degree of loss, modification or damage (if any) Identifying possible path or means of attack
Requirements for Evidence CISO must know Requirements for collecting & presenting evidence Rules for evidence, admissibility of evidence, and quality and completeness of evidence Consequences of any contamination of evidence following info security incident
Post-event Reviews Post-event reviews = critical part of incident management process CISO should: Manage post-event reviews to learn from completed tasks & to use information to improve IMT’s response procedures Consider enlisting help of third-party specialists if detailed forensic skills are needed
Contact Information Mr. Marc Vael CISA, CISM, CGEIT, CISSP, ITIL Service Manager, Prince2 Foundation Vice President ISACA Belgium Chapter Koningsstraat 109-111 1000 Brussels Belgium [email_address] [email_address]
November 2011 ISACA

More Related Content

PDF
Vulnerability Management Whitepaper PowerPoint Presentation Slides
bySlideTeam
 
PDF
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
byShivamSharma909
 
PPTX
Business Continuity & Disaster Recovery
byEC-Council
 
PDF
CISA Domain 4 Information Systems Operation | Infosectrain
byInfosecTrain
 
PDF
IT Security and Risk Management - Visionet Systems
byVisionet Systems, Inc.
 
PDF
A Practical Approach to Incident Management for SaaS/PaaS
byMichael Weber
 
DOCX
Generic_Sample_INFOSECPolicy_and_Procedures
bySamuel Loomis
 
PDF
Security & Risk Management
byAhmed Sayed-
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
bySlideTeam
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
byShivamSharma909
 
Business Continuity & Disaster Recovery
byEC-Council
 
CISA Domain 4 Information Systems Operation | Infosectrain
byInfosecTrain
 
IT Security and Risk Management - Visionet Systems
byVisionet Systems, Inc.
 
A Practical Approach to Incident Management for SaaS/PaaS
byMichael Weber
 
Generic_Sample_INFOSECPolicy_and_Procedures
bySamuel Loomis
 
Security & Risk Management
byAhmed Sayed-
 

What's hot

PDF
CISA Domain- 1 - InfosecTrain
byInfosecTrain
 
PPTX
Information Security Risk Management
byNikhil Soni
 
PPTX
Planning for security and security audit process
byDivya Tiwari
 
PPTX
Cybersecurity Audit
byEC-Council
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PDF
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
byHernan Huwyler, MBA CPA
 
PPT
IT Security management and risk assessment
byCAS
 
PPTX
Security Policies and Standards
byprimeteacher32
 
PDF
The Surprising Truth About Your Disaster Recovery Maturity Level
byAxcient
 
PPTX
Step by-step for risk analysis and management-yaser aljohani
byYaser Alrefai
 
PPT
SLVA - Security monitoring and reporting itweb workshop
bySLVA Information Security
 
PDF
Chapter 12 iso 27001 awareness
bynewbie2019
 
PPTX
Control and Audit Information System
byarif prasetyo
 
PDF
TrustedAgent and Defense Industrial Base (DIB)
byTuan Phan
 
PDF
Best Practices in Major Incident Management
byxMatters Inc
 
PPTX
ITIL Incident management
byManageEngine
 
PPT
It Audit Expectations High Detail
byecarrow
 
PDF
TrustedAgent GRC for Public Sector
byTuan Phan
 
PPTX
Its time to rethink everything a governance risk compliance primer
byEnclaveSecurity
 
PPTX
IT6701-Information Management Unit 5
bySIMONTHOMAS S
 
CISA Domain- 1 - InfosecTrain
byInfosecTrain
 
Information Security Risk Management
byNikhil Soni
 
Planning for security and security audit process
byDivya Tiwari
 
Cybersecurity Audit
byEC-Council
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Tips for IT Risk Management Prof. Hernan Huwyler Information Security Institute
byHernan Huwyler, MBA CPA
 
IT Security management and risk assessment
byCAS
 
Security Policies and Standards
byprimeteacher32
 
The Surprising Truth About Your Disaster Recovery Maturity Level
byAxcient
 
Step by-step for risk analysis and management-yaser aljohani
byYaser Alrefai
 
SLVA - Security monitoring and reporting itweb workshop
bySLVA Information Security
 
Chapter 12 iso 27001 awareness
bynewbie2019
 
Control and Audit Information System
byarif prasetyo
 
TrustedAgent and Defense Industrial Base (DIB)
byTuan Phan
 
Best Practices in Major Incident Management
byxMatters Inc
 
ITIL Incident management
byManageEngine
 
It Audit Expectations High Detail
byecarrow
 
TrustedAgent GRC for Public Sector
byTuan Phan
 
Its time to rethink everything a governance risk compliance primer
byEnclaveSecurity
 
IT6701-Information Management Unit 5
bySIMONTHOMAS S
 

Viewers also liked

PPT
ITIL Practical Guide - Continual Service Improvement (CSI)
byAxios Systems
 
PDF
Network Operation Center Best Practices
byAyehu Software Technologies Ltd.
 
PDF
Craft Your Cyber Incident Response Plan (Before It's Too Late)
byResilient Systems
 
PDF
CA Service Desk Administrator Guide with Examples
byArshad Havaldar
 
PPT
Hyperion Planning Security
byadivasoft
 
PPT
It Service Management Implementation Overview
byAlan McSweeney
 
PDF
ITSM (IT Service Management) & ITIL V3 Foundation
byPrudentialSolutions
 
PPTX
Process Improvement Roadmap
byHany Omar, PMP, ITIL, CMMI, 6σ
 
PDF
Mapa mental ITIL
byFernando Palma
 
PPT
Ca Service Desk Presentation
byEmirates Computers
 
DOC
Planning learn step by step
byksrajakumar
 
PDF
EHSM PUBLIC SECTOR CASE MANAGEMENT SOLUTION
byLennart Winqvist
 
PDF
Incident Response
byInnoTech
 
PDF
Periodic Reassessment, Continuous Improvement of Finance Operations
byCognizant
 
ITIL Practical Guide - Continual Service Improvement (CSI)
byAxios Systems
 
Network Operation Center Best Practices
byAyehu Software Technologies Ltd.
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
byResilient Systems
 
CA Service Desk Administrator Guide with Examples
byArshad Havaldar
 
Hyperion Planning Security
byadivasoft
 
It Service Management Implementation Overview
byAlan McSweeney
 
ITSM (IT Service Management) & ITIL V3 Foundation
byPrudentialSolutions
 
Process Improvement Roadmap
byHany Omar, PMP, ITIL, CMMI, 6σ
 
Mapa mental ITIL
byFernando Palma
 
Ca Service Desk Presentation
byEmirates Computers
 
Planning learn step by step
byksrajakumar
 
EHSM PUBLIC SECTOR CASE MANAGEMENT SOLUTION
byLennart Winqvist
 
Incident Response
byInnoTech
 
Periodic Reassessment, Continuous Improvement of Finance Operations
byCognizant
 

Similar to ISACA Belgium CERT view 2011

PDF
Microsoft Navigating Incident Response [EN].pdf
bySnarky Security
 
PDF
Practical Guide to Managing Incidents Using LLM's and NLP.pdf
byChris Galvan
 
PPTX
Purple Gradient Illustration Cyber Security Presentation (1).pptx
byadnanhanif190b
 
PDF
Ch5-Incident Response Management.pdfncident Response Management.
bySuhail Qadir Mir
 
PPTX
Lecture 06 - Incident Management and SOC.pptx
byprasadsanjaya2
 
PPTX
INCIDENT-RESPONSE_093004 (1).pdtffyghgptx
byjess12castano
 
PPTX
KSS ON CYBERSECURITY INCIDENT RESPONSE AND PLANNING MANAGEMENT.pptx
byCashmir Pangandaman
 
PDF
domain 2 for certified cybersecurity pfd
bytinotenda13
 
PDF
5 Steps to Improve Your Incident Response Plan
byResilient Systems
 
DOC
Importance Of Structured Incident Response Process
byAnton Chuvakin
 
PPTX
Incident Response Security
byssuser30902e
 
PDF
Ch4 cism 2014
byAladdin Dandis
 
PDF
A Guide for Businesses.pdf
byDaviesParker
 
DOCX
DISASTER RECOVERY 14Disaster RecoveryStude.docx
bysalmonpybus
 
PPTX
IT Security and Management - Semi Finals by Mark John Lado
byMark John Lado, MIT
 
DOCX
Winchester Aquarium and Pet Center Incident Response Plan
byR. Curtis Roth
 
PPT
Events Management or How to Survive Security Incidents
byguest6fd3c2f9
 
PPT
Belnet events management
byXavier Mertens
 
PPTX
You Will Be Breached
byMike Saunders
 
PPTX
Cyber Incident Response - When it happens, will you be ready?
byDan Michaluk
 
Microsoft Navigating Incident Response [EN].pdf
bySnarky Security
 
Practical Guide to Managing Incidents Using LLM's and NLP.pdf
byChris Galvan
 
Purple Gradient Illustration Cyber Security Presentation (1).pptx
byadnanhanif190b
 
Ch5-Incident Response Management.pdfncident Response Management.
bySuhail Qadir Mir
 
Lecture 06 - Incident Management and SOC.pptx
byprasadsanjaya2
 
INCIDENT-RESPONSE_093004 (1).pdtffyghgptx
byjess12castano
 
KSS ON CYBERSECURITY INCIDENT RESPONSE AND PLANNING MANAGEMENT.pptx
byCashmir Pangandaman
 
domain 2 for certified cybersecurity pfd
bytinotenda13
 
5 Steps to Improve Your Incident Response Plan
byResilient Systems
 
Importance Of Structured Incident Response Process
byAnton Chuvakin
 
Incident Response Security
byssuser30902e
 
Ch4 cism 2014
byAladdin Dandis
 
A Guide for Businesses.pdf
byDaviesParker
 
DISASTER RECOVERY 14Disaster RecoveryStude.docx
bysalmonpybus
 
IT Security and Management - Semi Finals by Mark John Lado
byMark John Lado, MIT
 
Winchester Aquarium and Pet Center Incident Response Plan
byR. Curtis Roth
 
Events Management or How to Survive Security Incidents
byguest6fd3c2f9
 
Belnet events management
byXavier Mertens
 
You Will Be Breached
byMike Saunders
 
Cyber Incident Response - When it happens, will you be ready?
byDan Michaluk
 

More from Marc Vael

PDF
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
byMarc Vael
 
PDF
ISACA Reporting relevant IT risks to stakeholders
byMarc Vael
 
PPTX
ISACA smart security for smart devices
byMarc Vael
 
PDF
Cybersecurity nexus vision
byMarc Vael
 
PDF
Belgian Data Protection Commission's new audit programme
byMarc Vael
 
PDF
Cybersecurity governance existing frameworks (nov 2015)
byMarc Vael
 
PDF
my experience as ciso
byMarc Vael
 
PDF
Value-added it auditing
byMarc Vael
 
PDF
The value of big data analytics
byMarc Vael
 
PPTX
Securing big data (july 2012)
byMarc Vael
 
PDF
ISACA Cloud Computing Risks
byMarc Vael
 
PDF
ISACA Mobile Payments Forum presentation
byMarc Vael
 
PDF
Cloud security lessons learned and audit
byMarc Vael
 
PDF
Social media risks and controls
byMarc Vael
 
PDF
Valuendo cyberwar and security (jan 2012) handout
byMarc Vael
 
PDF
Information security awareness (sept 2012) bis handout
byMarc Vael
 
PDF
How secure are chat and webconf tools
byMarc Vael
 
PDF
The view of auditor on cybercrime
byMarc Vael
 
PDF
Advantages of privacy by design in IoE
byMarc Vael
 
PDF
ISACA Internet of Things open forum presentation
byMarc Vael
 
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
byMarc Vael
 
ISACA Reporting relevant IT risks to stakeholders
byMarc Vael
 
ISACA smart security for smart devices
byMarc Vael
 
Cybersecurity nexus vision
byMarc Vael
 
Belgian Data Protection Commission's new audit programme
byMarc Vael
 
Cybersecurity governance existing frameworks (nov 2015)
byMarc Vael
 
my experience as ciso
byMarc Vael
 
Value-added it auditing
byMarc Vael
 
The value of big data analytics
byMarc Vael
 
Securing big data (july 2012)
byMarc Vael
 
ISACA Cloud Computing Risks
byMarc Vael
 
ISACA Mobile Payments Forum presentation
byMarc Vael
 
Cloud security lessons learned and audit
byMarc Vael
 
Social media risks and controls
byMarc Vael
 
Valuendo cyberwar and security (jan 2012) handout
byMarc Vael
 
Information security awareness (sept 2012) bis handout
byMarc Vael
 
How secure are chat and webconf tools
byMarc Vael
 
The view of auditor on cybercrime
byMarc Vael
 
Advantages of privacy by design in IoE
byMarc Vael
 
ISACA Internet of Things open forum presentation
byMarc Vael
 

Recently uploaded

PDF
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
PDF
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
PDF
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
PDF
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
PDF
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
PDF
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
PDF
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
PDF
From Compliance to Competitive Advantage Board-Level Cyber Governance Under D...
bySaraDavis91
 
PPTX
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
PPTX
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
PPTX
IBM_NEXA_DAC2021 NEXA, a cloud-native platform for collaborative hardware log...
byArun Joseph
 
PPTX
Sensors-and-Actuators-in-IoT-Systems.pptx
byMuhammedNihal54
 
PPT
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
PPT
Information and Communication Technologies and Power
byJeffrey Hart
 
PPTX
Scrape YouTube Video Data for Influencer Analytics.pptx
byWeb Data Crawler
 
PPTX
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
PPTX
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
PDF
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
PDF
Scott M. Graffius' Phases of Team Development - Applied to Human Teams and Hu...
byScott M. Graffius
 
PPTX
SRWE_Module_14_SRWE_ccna_basics_routing_concepts.pptx
byahmedmahmoudece
 
DataLiva-LivaGRC- Business Software for Governance, Risk, and Compliance
byMustafa Kuğu
 
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
Xemelgo - RFID Industry Predictions for 2026
byRich Rogers
 
What is Voice User Interface (VUI) Definition & Examples.pdf
byDesign Studio UI UX
 
From Compliance to Competitive Advantage Board-Level Cyber Governance Under D...
bySaraDavis91
 
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
IBM_NEXA_DAC2021 NEXA, a cloud-native platform for collaborative hardware log...
byArun Joseph
 
Sensors-and-Actuators-in-IoT-Systems.pptx
byMuhammedNihal54
 
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
Information and Communication Technologies and Power
byJeffrey Hart
 
Scrape YouTube Video Data for Influencer Analytics.pptx
byWeb Data Crawler
 
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
Pizza Chain Market Data Scraping for Better Insights Report.pptx
byWeb Data Crawler
 
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
Scott M. Graffius' Phases of Team Development - Applied to Human Teams and Hu...
byScott M. Graffius
 
SRWE_Module_14_SRWE_ccna_basics_routing_concepts.pptx
byahmedmahmoudece
 

ISACA Belgium CERT view 2011

  • 1.
  • 2.
    CISO Tasks Develop& implement processes for detecting, identifying, analyzing and responding to information security incidents Establish escalation & communication processes & lines of authority Develop plans to respond to & document information security incidents Establish capability to investigate information security incidents Develop process to communicate with internal parties & external organizations Integrate information security incident response plans with disaster recovery (DRP) & business continuity plan (BCP) Organize, train, equip teams to respond to information security incidents Periodically test & refine information security incident response plans Manage response to information security incidents Conduct reviews to identify causes of information security incidents, develop corrective actions & reassess risk
  • 3.
    Definition What isincident management and response? Incident management is the capability to effectively manage unexpected disruptive events with the objective of minimizing impacts and maintaining or restoring normal operations within defined time limits Incident response is the operational capability of incident management that identifies, prepares for and responds to incidents to control and limit damage; provide forensic and investigative capabilities; and maintain, recover and restore normal operations as defined in service level agreements (SLAs).
  • 4.
    Incident Management andResponse Overview Purpose = manage impact of unexpected disruptive events to acceptable levels Possible disruptions may be Technical Physical Environmental Any type of incident that can significantly affect organization’s ability to operate or that may cause damage must be considered by the CISO
  • 5.
    Outcomes of IncidentManagement and Response Outcomes of good incident management & response include organization that Can deal effectively with unanticipated events Has sufficient detection & monitoring capabilities Has well defined severity & declaration criteria as well as defined escalation & notification processes Has response capabilities that demonstrably support business strategy Proactively manages risks of incidents appropriately Periodically tests its capabilities Provides monitoring & metrics to gauge performance of incident management & response capabilities
  • 6.
    Scope & Charterof Incident Management Scope/charter document Formally establishes IMT Documents its responsibility to manage & respond to security incidents Sections of charter should include: Mission Scope Organizational structure Information flow Services provided
  • 7.
    Responsibilities Incidentresponse goals include: Containing effects of incident ( damage & losses do not escalate out of control) Notifying appropriate people for purpose of recovery or to provide needed information Recovering quickly & efficiently from security incidents Minimizing impact of info security incident Responding systematically & decreasing likelihood of recurrence Balancing operational & security processes Dealing with legal & law enforcement-related issues
  • 8.
    Senior Management CommitmentSenior management is critical to success of incident management & response Incident management & response Is component of risk management Needs same level of support from senior management
  • 9.
    Desired State Incidentmanagement & response requires: Well-developed monitoring capabilities for key controls Personnel trained in assessing situation, capable of providing triage, managing effective responses Managers that have made provisions to capture all relevant information & apply previously learned lessons Managers who Know when disaster is imminent Have well-defined criteria Have experience, knowledge, and authority to invoke disaster recovery processes necessary to maintain or recover operational status
  • 10.
    Challenges in Developingan Incident Management Plan Challenges may be result of Lack of management buy-in & organizational consensus Mismatch to organizational goals & structure IMT member turnover Lack of communication process Complex & wide plan
  • 11.
    Policies and StandardsDocumented set of incident response policies, standards and procedures is important to: Ensure incident management activities are aligned to IMT mission Set correct expectations Provide guidance for operational needs Maintain consistency & reliability of services
  • 12.
    Personnel IMT usuallyconsists of CISO (who usually leads the team) Steering committee/advisory board Permanent/dedicated team members Virtual/temporary team members Composition of incident response staff will vary from team-to-team & will depend on number of factors such as: Mission & goals of incident response program Nature & range of services offered Available staff expertise Constituency size & technology base Anticipated incident load Severity or complexity of incident reports Funding
  • 13.
  • 14.
  • 15.
  • 16.
    Skills Basic skillsfor incident response team members can be separated into 2 groups: Personal skills Communication Presentation skills Ability to follow policies and procedures Team skills Integrity Self understanding Coping with stress Problem solving Time management Technical skills Technical foundation skills—Require basic understanding of underlying technologies used by organization Incident handling skills—Require understanding of techniques, decision points & supporting tools required in daily activities
  • 17.
    Current State ofIncident Response Capability Ways to identify current state of incident response capability include: Survey of senior management, business managers and IT representatives Self-assessment External assessment or audit
  • 18.
    History of IncidentsPast incidents provide valuable information on trends, types and business impacts Can be used as input for assessment of IMT’s performance Used as input to assessment of types of incidents that must be considered & planned for
  • 19.
    Risk Tolerance Risktolerance = same as acceptable risk which must be determined by management CISO should be aware that incident management also includes BCP & DRP Overall response management = combination of BCP, DRP, continuity of business operations and incident response
  • 20.
    Integrating a BIAInto Incident Response CISO needs to Oversee development of response & recovery plans* to ensure they are properly designed & implemented Ensure resources required to continue business are identified & recorded Identify & validate response and recovery strategies Obtain senior management approval of strategies Oversee development of comprehensive response & recovery plans * Should be based on BIA
  • 21.
    Integrating RTO &RPO Into Incident Response RTO = amount of time allowed for recovery of business function or resource after disaster occurs Effective incident management = includes resolving incidents with acceptable interruption window (AIW) RPO = measurement of point prior to outage to which data are to be restored Describes state of recovery that should be achieved to facilitate acceptable outcomes
  • 22.
    Elements of anIncident Response Plan CIAC & SANS Institute propose following incident response phases: Preparation Identification Containment Eradication Recovery Lessons learned
  • 23.
    Elements of anIncident Response Plan Preparation —prepares organization to develop incident response plan prior to incident. Sufficient preparation facilitates smooth execution. Activities: Establishing approach to handle incidents Establishing policy & warning banners in information systems to deter intruders & allow information collection Establishing communication plan to stakeholders Developing criteria on when to report incident to authorities Developing process to activate incident management team Establishing secure location to execute incident response plan Ensuring equipment needed is available
  • 24.
    Elements of anIncident Response Plan Identification —aims to verify if incident has happened & find out more details about incident. Reports on possible incidents may come from information systems, end users or other organizations. Not all reports are valid incidents, as they may be false alarms or may not qualify as incident. Activities: Assigning ownership of incident or potential incident to incident handler Verifying reports or events qualify as incident Establishing chain of custody during identification when handling potential evidence Determining severity of incident & escalating it as necessary
  • 25.
    Elements of anIncident Response Plan Containment —After incident has been identified & confirmed, IMT is activated & information from incident handler is shared. Team will conduct detailed assessment & contact system owner or business manager of the affected information systems/assets to coordinate further action. The action taken is to limit the exposure. Activities: Activating incident management/response team to contain incident Notifying appropriate stakeholders affected by incident Obtaining agreement on actions taken that may affect availability of a service or risks of the containment process Getting IT representative & relevant virtual team members involved to implement containment procedures Obtaining & preserving evidence Documenting & taking backups of actions from this phase onward Controlling & managing communication to public by PR team
  • 26.
    Elements of anIncident Response Plan Eradication —When containment measures have been deployed, it is time to determine root cause of incident & eradicate it. Eradication can be done in number of ways: restoring backups to achieve clean state of system, removing root cause, improving defenses & performing vulnerability analysis to find further potential damage from same root cause. Activities: Determining signs & cause of incidents Locating most recent version of backups or alternative solutions Removing root cause. In event of worm or virus infection, it can be removed by deploying appropriate patches & updated antivirus software. Improving defenses by implementing protection techniques Performing vulnerability analysis to find new vulnerabilities introduced by root cause
  • 27.
    Elements of anIncident Response Plan Recovery —ensures affected systems or services are restored to condition specified in RPO. The time constraint is documented in RTO. Activities: Restoring operations to normal Validating that actions taken on restored systems were successful Getting involvement of system owners to test system Facilitating system owners to declare normal operation
  • 28.
    Elements of anIncident Response Plan Lessons learned At end of incident response process, report should always be developed to share what has happened, what measures were taken & results after plan was executed. Part of report should contain lessons learned that provide IMT & other stakeholders valuable learning points of what could have been done better. These lessons should be developed into plan to enhance incident management capability & documentation of incident response plan. Activities: Writing incident report Analyzing issues encountered during incident response efforts Proposing improvement based on issues encountered Presenting report to relevant stakeholders
  • 29.
    Organizing, Training andEquipping the Response Staff Every IMT member should get following training: Induction to IMT—basic information about the team and its operations Mentoring re. team’s roles, responsibilities and procedures On the job training Formal training
  • 30.
    Recovery Planning andBusiness Recovery Processes DRP is traditionally defined as recovery of IT systems when disastrous events BCP is defined as recovery of critical business processes necessary to continue or resume operations. Each of these planning processes typically includes several main phases, including: Risk & business impact assessment Response & recovery strategy definition Documenting response & recovery plans Training that covers response a&recovery procedures Updating response & recovery plans Testing response & recovery plans Auditing response & recovery plans
  • 31.
    Recovery Strategies Mostappropriate strategy = one that demonstrably addresses probable events with acceptable recovery times at a reasonable cost Development of incident management & response plan = difficult & expensive process that may take considerable time development of several alternative strategies prudent to consider outsourcing some or all of the needed capabilities
  • 32.
    Incident Management andResponse Teams Number of teams depends upon size of organization & magnitude of operations - examples include: Emergency action team Damage assessment team Emergency management team Relocation team Security team
  • 33.
    Notification Requirements Planshould include call tree with prioritized list of contacts Representatives of equipment & software vendors Contacts within companies have been designated to provide supplies & equipment or services Contacts at recovery facilities, including hot site representatives or predefined network communications rerouting services Contacts at offsite media storage facilities & contacts within company who are authorized to retrieve media from offsite facility Insurance company agents Contacts at human resources (HR) & contract personnel services Law enforcement contacts
  • 34.
    Periodic Testing ofthe Response and Recovery Plans Testing must include: Developing test objectives Executing test Evaluating test Developing recommendations to improve effectiveness of testing processes as well as response & recovery plans Implementing follow-up process to ensure recommendations are implemented
  • 35.
    Testing for Infrastructureand Critical Business Applications After test objectives have been defined, CISO must: Ensure independent third party observer is present to monitor & evaluate the test  Implement tracking process to ensure any recommendations resulting from testing are implemented in timely fashion Know about disaster recovery testing for infrastructure & critical business applications
  • 36.
    Type of TestsTests that are progressively more challenging: Table-top walk-through of plans Table-top walk-through with mock disaster scenarios Testing infrastructure & communication components of plan Testing infrastructure & recovery of critical applications Testing infrastructure, critical applications & involvement of end users Full restoration & recovery tests with some personnel unfamiliar with systems Surprise tests
  • 37.
    Ensuring Execution asRequired Facilitator or director* is needed to Direct tasks within plans Oversee plan execution Liaise with senior management Make decisions as necessary Defining appropriate recovery strategies & alternatives is important in overall process * - The CISO often serves as facilitator
  • 38.
    Establishing Procedures Ifan incident occurs: Information security staff needs documented procedures so that information can be properly recorded and preserved CISO should develop data/evidence preservation procedures Information systems staff must understand basic procedures, including taking no action that could change/modify/contaminate potential or actual evidence Initial response by system administrator should include: Retrieving information needed to confirm incident Identifying scope & size of affected environment (e.g., networks, systems, applications) Determining degree of loss, modification or damage (if any) Identifying possible path or means of attack
  • 39.
    Requirements for Evidence CISO must know Requirements for collecting & presenting evidence Rules for evidence, admissibility of evidence, and quality and completeness of evidence Consequences of any contamination of evidence following info security incident
  • 40.
    Post-event Reviews Post-eventreviews = critical part of incident management process CISO should: Manage post-event reviews to learn from completed tasks & to use information to improve IMT’s response procedures Consider enlisting help of third-party specialists if detailed forensic skills are needed
  • 41.
    Contact Information Mr.Marc Vael CISA, CISM, CGEIT, CISSP, ITIL Service Manager, Prince2 Foundation Vice President ISACA Belgium Chapter Koningsstraat 109-111 1000 Brussels Belgium [email_address] [email_address]
  • 42.

Editor's Notes

  • #3 Content to Emphasize: The CISM candidate must have a thorough understanding of the knowledge statements in order to pass the CISM exam. Please explain that the learning objectives/tasks are what a CISM is expected to be able to do. The tasks will relate to knowledge statements. It may be helpful to explain that the CISM must know what the core business of the organization is if they hope to demonstrate to executive management how security can help to enable the business. Section one of the chapter in the 2011 manual provides an overview of the content as well as the task and knowledge statements. The relationship of the task statements to the knowledge statements is included on pages 232-238. In addition, an explanation is provided for each knowledge statement, it’s related key concepts and reference to content in the section of the chapter. Review Manual Reference Pages: pgs. 230-239
  • #4 Incident management is defined as the capability to effectively manage unexpected disruptive events with the objective of minimizing impacts and maintaining or restoring normal operations within defined time limits. Incident response is the operational capability of incident management that identifies, prepares for and responds to incidents to control and limit damage; provide forensic and investigative capabilities; and maintain, recover and restore normal operations as defined in service level agreements (SLAs). Review Manual Reference Page: pg. 238
  • #5 Content to Emphasize: Incident Management and Response is the operational part of risk management. It is the activities that take place as a result of unanticipated attacks, losses, theft, accidents or any other unexpected adverse events that occur as a result of the failure or lack of controls. The purpose of incident management and response is to manage and respond to unexpected disruptive events with the objective of controlling impacts within acceptable levels. These events can be technical, such as attacks mounted on the network via viruses, denial of service, or system intrusion, or they can be the result of mistakes, accidents, or system or process failure. Disruptions can also be caused by a variety of physical events such as theft of proprietary information, social engineering, lost or stolen backup tapes or laptops, environmental conditions such as floods, fires, or earthquakes, and so forth. Any type of incident that can significantly affect the organization’s ability to operate or that may cause damage must be considered by the information security manager and will normally be a part of incident management and response capabilities. As with other aspects of risk management, risk and business impact assessments (BIA) form the basis for determining the priority of resource protection and response activities. Incident management and response is a part of business continuity planning (BCP), as is disaster recovery. As “first responders” to adverse information security-related events, the objective is to prevent incidents from becoming problems, and to prevent problems from becoming disasters. Review Manual Reference Pages: pg. 250
  • #6 Outcomes of good incident management and response will be an organization that can deal effectively with unanticipated events that might threaten to disrupt the business. The organization will have sufficient detection and monitoring capabilities to ensure incidents are detected in a timely manner. There will be well-defined severity and declaration criteria as well as defined escalation and notification processes. Personnel will be trained in the recognition of incidents, the application of severity criteria, and proper reporting and escalation procedures. The organization will have response capabilities that demonstrably support the business strategy by being responsive to the criticality and sensitivity of the resources protected. It will serve to proactively manage risks of incidents appropriately in a cost-effective way and will provide integration of security related organizational functions to maximize effectiveness. It will provide monitoring and metrics to gauge performance of incident management and response capabilities. It will periodically test its capabilities and ensure that information and plans are updated regularly, are current, and accessible when needed. Review Manual Reference Page: pg. 253
  • #7 An incident management charter is a document that formally establishes the IMT, and documents its responsibility to manage and respond to security incidents. The charter also delegates the authority to take necessary actions and to make decisions prior to, during, and after an incident. As incident management is broader than incident response activities, the charter should also provide authority to implement proactive measures, vulnerability management and other incident management services. Sections of the charter document should include: • Mission —Describes the overall goals of the team and the activities that fall within the team’s scope of responsibility. This might include such tasks as responding to all incidents, minimizing their impact, and collecting data and evidence for further investigation and potential prosecution. • Scope —Defines the constitution of the IMT. The scope may be different for each organization. Some common choices of IMT scope include: • Organizational structure —Documents how the IMT is organized from a management perspective, how the members of the team are managed and how the team reports to upper-level management. • Information flow —Describes how information flows before, during and after an incident. First, this section describes how a potential security incident is reported to the IMT, and provides contact information for doing so. Second, it describes how the IMT communicates information about an incident to: – Senior management – Company employees – Business partners (e.g., suppliers, collaborators) – Regulatory organizations – Other stakeholders – The public • Services provided —Documents the specific services the IMT provides. This is based on the mission statement (above), and may include services such as incident response, policy development, compliance testing and user education. Review Manual Reference Pages: pg. 254
  • #8 The approach to incident response may vary depending on the situation, but the goals are constant. These goals include: • Containing the effects of the incident so that damage and losses do not escalate out of control • Notifying the appropriate people for the purpose of recovery or to provide needed information • Recovering quickly and efficiently from security incidents • Minimizing the impact of the security incident • Responding systematically and decreasing the likelihood of recurrence • Balancing operational and security processes • Dealing with legal and law enforcement-related issues Review Manual Reference Page: pg. 255
  • #9 As is the case with other aspects of information security, senior management commitment is critical to the success of incident management and response. It is a component of risk management and the same rationale and justification will serve. A business case can be made so that effective incident management and response may be a less costly option than attempting to implement controls for all possible conditions. Incident management and response can be part of the trade-off that may reduce the cost of risk management efforts by allowing higher levels of acceptable risk. Adequate incident response, in combination with effective information security, creates a practical risk management solution that may be more cost effective in the long run and the most prudent resource management decision. Review Manual Reference Pages: pg. 255
  • #10 Since incident management and response serves as the fire brigade, ambulance service and emergency room for the organization’s information assets, it must effectively address a wide range of possible unexpected events, both electronic and physical. It will need to have well-developed monitoring capabilities for key controls, whether procedural or technical, to provide early detection of potential problems. It will have personnel trained in assessing the situation, capable of providing triage, managing effective responses that maximize operational continuity and minimize impacts. The incident managers will have made provisions to capture all relevant information and apply previously learned lessons. They will know when a disaster is imminent and have well-defined criteria, the experience, knowledge, and the authority to invoke the disaster recovery processes necessary to maintain or recover operational status. Review Manual Reference Page: pgs. 255 - 256
  • #11 Review Manual Reference Pages: pgs. 258 - 259
  • #12 The incident response plan must be backed by well-defined policies, standards and procedures. A documented set of policies, standards and procedures is important to: • Ensure that incident management activities are aligned with the IMT mission • Set correct expectations • Provide guidance for operational needs • Maintain consistency and reliability of services The lack of suitable policies and supporting standards may hinder incident management capabilities. Review Manual Reference Page: pg. 259
  • #13 Content to Emphasize: An IMT usually consists of an information security manager, steering committee/advisory board, permanent/dedicated team members and virtual/temporary team members. The information security manager usually leads the team. In larger organizations, it may be more effective to appoint a separate IRT leader/manager that focuses on responding to incidents. Above the information security manager, there is a set of senior management executives in a group called security steering group (SSG) or security advisory board. The SSG is responsible for approving the charter and serves as an escalation point for the IMT. The SSG also approves deviations and exceptions to normal practice. Review Manual Reference Page: pg. 260
  • #14 Review Manual Reference Pages: pg. 261
  • #15 Review Manual Reference Pages: pg. 261
  • #16 Review Manual Reference Pages: pg. 261
  • #17 Content to Emphasize: To build an incident response team with capable incident handlers, organizations need people with certain skill sets and technical expertise, with abilities that enable them to respond to incidents, perform analysis tasks, and communicate effectively with the constituency and external contacts. They must also be competent problem solvers, must easily adapt to change, and must be effective in their daily activities. The set of basic skills that incident response team members need can be separated into two broad groups: • Personal skills —Major parts of the incident handler’s daily activity. • Technical skills Review Manual Reference Page: pgs. 260 - 262
  • #18 Most organizations have some sort of incident response capability, either ad hoc or formal. The information security manager must identify what is already in place as a basis for understanding the current state. There are many ways to do this; several methods that can be used are: • Survey of senior management, business managers and IT representatives —A survey is useful to find out how the incident management capability has been performed in the past or perception of such capability. • Self-assessment —Self-assessment is conducted by the IMT against a set of criteria to develop understanding on current capabilities. This is the easiest to do without requiring participation from many stakeholders. The disadvantage of this method includes the limited view on current capability and may not be in line with stakeholders’ perceived capability. • External assessment or audit —The most comprehensive option that combines interviews, surveys, simulation and other assessment techniques in the assessment. This option is normally used for an organization that already has an adequate incident management capability but is further improving it or reengineering the processes. Review Manual Reference Page: pg. 264
  • #19 Past incidents (both internal and external) can provide valuable information on trends, types of events, and business impacts. This information is used as an input to the assessment of the types of incidents that must be considered and planned for. Review Manual Reference Page: pg. 264
  • #20 Risk tolerance is the same as acceptable risk which, in the final analysis, must be determined by management. Determining acceptable impacts in financial terms and then working backward to determine risk levels may help facilitate an understanding by management. The information security manager should be aware that incident management also includes business continuity and disaster recovery planning (DRP). DRP generally comprises the plan to recover an IT processing facility or by business units to recover an operational facility. The recovery plan must be consistent with and support the overall IT plan of the organization. Overall, response management is equal to the combination of BCP, DRP, and continuity of business operations and incident response, although each part, depending on the complexity of the organization, does not necessarily have to be integrated into one single plan. To have a viable response management planning strategy, however, each must be consistent with the other. Review Manual Reference Page: pg. 264
  • #21 No matter how good controls may be, the risk of an incident cannot be completely eliminated. Accordingly, the information security manager should oversee the development of response and recovery plans to ensure that they are properly designed and implemented. These plans should, as described previously, be based on the BIA. Next, response and recovery strategies should be identified and validated and then approved by senior management. Once senior management approves these strategies, the information security manager should oversee the development of the response and recovery plans. During this process, response and recovery teams should be identified and team members mobilized. The plans must provide the teams guidance concerning the steps to be taken to recover business processes. Review Manual Reference Page: pgs. 264 - 265
  • #22 Recovery time objective (RTO) is defined as the amount of time allowed for the recovery of a business function or resource to a predefined operational level after a disaster occurs. Exceeding this time would mean organization survival would be threatened or the losses would exceed acceptable levels. RTOs are determined as a result of management deciding the level of acceptable impact as a result of the unavailability of information resources. Generally, the optimal RTO is the point where the ongoing cost of loss is equal to the cost of recovery. Review Manual Reference Page: pg. 265
  • #23 The following model proposed by Schultz, Brown and Longstaff in a University of California technical report “Responding to Computer Security Incidents: Guidelines for Incident Handling” (UCRL-ID-104689, July 23, 1990), presents the six- phase model of incident response including preparation, identification, containment, eradication, restoration and follow- up: • Preparation —This phase prepares an organization to develop an incident response plan prior to an incident. Sufficient preparation facilitates smooth execution. • Identification —This phase aims to verify if an incident has happened and find out more details about the incident. Reports on possible incidents may come from information systems, end users or other organizations. Not all reports are valid incidents, as they may be false alarms or may not qualify as an incident. • Containment —After an incident has been identified and confirmed, the IMT is activated and information from the incident handler is shared. The team will conduct a detailed assessment and contact the system owner or business manager of the affected information systems/assets to coordinate further action. The action taken in this phase is to limit the exposure. • Eradication —When containment measures have been deployed, it is time to determine the root cause of the incident and eradicate it. Eradication can be done in a number of ways: restoring backups to achieve a clean state of the system, removing the root cause, improving defenses and performing vulnerability analysis to find further potential damage from the same root cause. • Recovery —This phase ensures that affected systems or services are restored to a condition specified in the RPO. The time constraint up to this phase is documented in the RTO. • Lessons learned —At the end of the incident response process, a report should always be developed to share what has happened, what measures were taken and the results after the plan was executed. Part of the report should contain lessons learned that provide the IMT and other stakeholders valuable learning points of what could have been done better. These lessons should be developed into a plan to enhance the incident management capability and the documentation of the incident response plan. Review Manual Reference Page: pgs. 265 - 266
  • #24 • Preparation —This phase prepares an organization to develop an incident response plan prior to an incident. Sufficient preparation facilitates smooth execution. Activities in this phase include: – Establishing an approach to handle incidents – Establishing policy and warning banners in information systems to deter intruders and allow information collection – Establishing communication plan to stakeholders – Developing criteria on when to report incident to authorities – Developing a process to activate the incident management team – Establishing a secure location to execute the incident response plan – Ensuring equipment needed is available Review Manual Reference Page: pgs. 265 - 266
  • #25 • Identification —This phase aims to verify if an incident has happened and find out more details about the incident. Reports on possible incidents may come from information systems, end users or other organizations. Not all reports are valid incidents, as they may be false alarms or may not qualify as an incident. Activities in this phase include: – Assigning ownership of an incident or potential incident to an incident handler – Verifying that reports or events qualify as an incident – Establishing chain of custody during identification when handling potential evidence – Determining the severity of an incident and escalating it as necessary Review Manual Reference Page: pgs. 265 - 266
  • #26 • Containment —After an incident has been identified and confirmed, the IMT is activated and information from the incident handler is shared. The team will conduct a detailed assessment and contact the system owner or business manager of the affected information systems/assets to coordinate further action. The action taken in this phase is to limit the exposure. Activities in this phase include: – Activating the incident management/response team to contain the incident – Notifying appropriate stakeholders affected by the incident – Obtaining agreement on actions taken that may affect availability of a service or risks of the containment process – Getting the IT representative and relevant virtual team members involved to implement containment procedures – Obtaining and preserving evidence – Documenting and taking backups of actions from this phase onward – Controlling and managing communication to the public by the public relations team Review Manual Reference Page: pgs. 265 - 266
  • #27 • Eradication —When containment measures have been deployed, it is time to determine the root cause of the incident and eradicate it. Eradication can be done in a number of ways: restoring backups to achieve a clean state of the system, removing the root cause, improving defenses and performing vulnerability analysis to find further potential damage from the same root cause. Activities in this phase include: – Determining the signs and cause of incidents – Locating the most recent version of backups or alternative solutions – Removing the root cause. In the event of worm or virus infection, it can be removed by deploying appropriate patches and updated antivirus software. – Improving defenses by implementing protection techniques – Performing vulnerability analysis to find new vulnerabilities introduced by the root cause Review Manual Reference Page: pgs. 265 - 266
  • #28 • Recovery —This phase ensures that affected systems or services are restored to a condition specified in the RPO. The time constraint up to this phase is documented in the RTO. Activities in this phase include: – Restoring operations to normal – Validating that actions taken on restored systems were successful – Getting involvement of system owners to test the system – Facilitating system owners to declare normal operation Review Manual Reference Page: pgs. 265 - 266
  • #29 • Lessons learned —At the end of the incident response process, a report should always be developed to share what has happened, what measures were taken and the results after the plan was executed. Part of the report should contain lessons learned that provide the IMT and other stakeholders valuable learning points of what could have been done better. These lessons should be developed into a plan to enhance the incident management capability and the documentation of the incident response plan. Activities in this phase include: – Writing the incident report – Analyzing issues encountered during incident response efforts – Proposing improvement based on issues encountered – Presenting the report to relevant stakeholders Review Manual Reference Page: pgs. 265 - 266
  • #30 Content to Emphasize: Training the response teams is essential; the information security manager should develop event scenarios and test the response and recovery plans to ensure that team participants are familiar with their tasks and responsibilities. Through this process the teams will also identify the resources they require for response and recovery, providing the basis for equipping the teams with needed resources. An added value of training is detecting and modifying ambiguous procedures to achieve clarity and determining recovery resources that may not be adequate or effective. IMT members should undergo the following training program: • Induction to the IMT —The induction should provide the essential information required to be an effective IMT member. • Mentoring team members regarding roles, responsibilities and procedure —Existing IMT members can provide valuable knowledge to aid new members after induction. To facilitate effective mentoring, the buddy system can be used, pairing new members with experienced members. • On-the-job training —May serve to provide an understanding of company policies, standards, procedures, available tools and applications, acceptable code of conduct, etc. • Formal training —Team members may require formal training to attain an adequate level of competence necessary to support the overall incident management capability. Review Manual Reference Page: pg. 266
  • #31 Content to Emphasize: The information security manager must understand the basic processes required to recover operations from incidents such as DoS attacks, natural disasters and other potential disruption of business operations. Disaster recovery (DR) has traditionally been defined as the recovery of IT systems after disruptive events such as hurricanes and floods. Business recovery is defined as the recovery of the critical business processes necessary to continue or resume operations. Business recovery includes not only disaster recovery, but also all other required operational aspects. Review Manual Reference Page: pg. 266
  • #32 Content to Emphasize: Various strategies exist for recovering critical information resources. The most appropriate strategy is likely to be one that demonstrably addresses probable events with acceptable recovery times at a reasonable cost. Depending on the size and complexity of the organization and the state of recovery planning, the information security manager should understand that the development of an incident management and response plan is likely to be a difficult and expensive process that may take considerable time. It may require the development of several alternative strategies encompassing different capabilities and costs to be presented to management for a final decision. Each alternative must be sufficiently developed to provide an understanding of the trade-offs between scope, capabilities and cost. It may be prudent to consider outsourcing some or all of the needed capabilities and determine costs for the purpose of comparisons. Once the decision is made for which strategy best meets management’s objectives, it provides the basis for the development of detailed incident management and response plans. Review Manual Reference Page: pg. 267
  • #33 The plan must identify teams and define their assigned responsibilities in the event of an incident. To implement the strategies that have been developed for business recovery, key decision making, technical and end-user personnel to lead teams need to be designated and trained. Depending on the size of the business operation, the team may consist of a single person. The involvement of these teams depends on the level of the disruption of service and the types of assets lost, compromised, damaged or endangered. A matrix should be developed that indicates the correlation between the functions of the different teams. This will facilitate estimating the magnitude of the effort and activating the appropriate combination of teams. Examples of the kinds of teams usually needed include the: • The emergency action team —Designated fire wardens and “bucket crews” whose function is to deal with fires or other emergency response scenarios • Damage assessment team— Qualified individuals who assess the extent of damage to physical assets and make an initial determination regarding what is a complete loss vs. what is restorable or salvageable • Emergency management team —Responsible for coordinating the activities of all other recovery teams and handling key decision making • Relocation team —Responsible for coordinating the process of moving from the hot site to a new location or to the restored original location • Security team —Often called a computer security incident response team, it is responsible for monitoring the security of systems and communication links, containing any ongoing security threats, resolving any security issues that impede the expeditious recovery of the system(s), and assuring the proper installation and functioning of every security software package. Review Manual Reference Page: pgs. 269 - 270
  • #34 The recovery plan must also cover notification responsibilities and requirements. It should also include a directory of key decision-making personnel, information systems owners, end users and others required to initiate and carry out response efforts. This directory should also include multiple communication methods (telephone, cell phone, text, e-mail, etc). The directory should include at least the following individuals: • Representatives of equipment and software vendors • Contacts within companies that have been designated to provide supplies and equipment or services • Contacts at recovery facilities, including hot site representatives or predefined network communications rerouting services • Contacts at offsite media storage facilities and the contacts within the company who are authorized to retrieve media from the offsite facility • Insurance company agents • Contacts at human resources (HR) and/or contract personnel services • Law enforcement contacts Review Manual Reference Page: pg. 270
  • #35 The information security manager, helped by the recovery team’s organization, should implement periodic testing of response and recovery plans. Testing should include: • Developing test objectives • Executing the test • Evaluating the test • Developing recommendations to improve the effectiveness of testing processes as well as response and recovery plans • Implementing a follow-up process to ensure that the recommendations are implemented Review Manual Reference Pages: pg. 273
  • #36 Content to Emphasize: The information security manager should also implement a tracking process to ensure that any recommendations resulting from testing are implemented in a timely fashion. Personnel should be tasked with making any necessary changes. The information security manager needs to understand that testing recovery and response plans need to include infrastructure and critical applications. With today’s organizations’ heavy reliance on information technology, the information security manager is not only tasked with securing these systems during normal operations, but also during disaster events. Based on the risk assessment and business impact information, the information security manager can identify critical applications that the organization requires and the infrastructure needed to support them. To ensure that these are recovered in a timely fashion, the information security manager needs to perform appropriate recovery tests. Review Manual Reference Page: pgs. 273 - 274
  • #37 Review Manual Reference Page: pg. 274
  • #38 To ensure the response and recovery plans are executed as required, the plans need a facilitator or director to direct the tasks within the plans, oversee their execution, liaise with senior management and make decisions as necessary. The information security manager may or may not be the appropriate person to act as the recovery plan director or coordinator, but must be certain the role is assigned to someone who can perform this critical function. Developing appropriate response and recovery strategies as well as alternatives is an essential component in the overall process of executing the response and recovery plans. It will provide reasonable assurance that the organization can recover its key business functions in the event of a disruption and that it responds appropriately to a security-related incident. Review Manual Reference Page: pg. 275
  • #39 Having a good legal framework is important to provide options to the organization. The information security manager should develop data preservation procedures with the advice and assistance of legal counsel, the organization’s managers and knowledgeable law enforcement officials to assure the procedures provide sufficient guidance to IT and security staff. With the assistance of these specialized resources, the information security manager can develop procedures to handle security events in a manner that preserves evidence, ensures legally sufficient chain of custody, and is appropriate to meet business objectives. There are a few basic actions the information systems staff must understand. This includes doing nothing that could change/modify/contaminate potential or actual evidence. Trained forensics personnel can inspect computer systems that have been attacked, but if the organization’s personnel contaminate the information, the data may not be admissible in a court of law and/or the forensics staff may be unable to use the data in investigating an incident. Computer forensics, gathering and handling information and physical objects relevant to a security incident in a systematic manner so that they can be used as evidence in a court of law should usually be performed by a specially trained staff, third-party specialists, security incident response team or law enforcement officials. Review Manual Reference Pages: pg. 278
  • #40 Content to Emphasize: The information security manager should understand that any contamination of evidence following an intrusion could prevent an organization prosecuting a perpetrator and limit its options. In addition, the modification of data can inhibit computer forensic activity necessary to identify the perpetrator and all the changes and effects resulting from an attack. It may also preclude the possibility of identifying how the attack occurred, and how the security program should be changed and enhanced to reduce the risk of a similar attack in the future. The usual recommendation for a computer that has been compromised is to disconnect the power to maximize the preservation of evidence on the hard disk. This is not universally accepted as the best solution, and the information security manager will need to establish the most appropriate approach for their organization and train personnel in the appropriate procedures. Whichever procedure is used to secure a compromised system, trained personnel must use forensic tools to create a bit-by-bit copy of any evidence that may exist on hard drives and other media to ensure legal admissibility. To avoid the potential for alteration or destruction of incident-related data, any testing or data analysis should be conducted using this copy. The original should be given to a designated evidence custodian who must store it in a safe location. The original media must remain unchanged and a record of who has had custody of it—the chain of custody—must be maintained for the custody to be admissible in court. Review Manual Reference Page: pgs. 278 - 279
  • #41 Content to Emphasize: The information security manager should manage postevent reviews to learn from each incident and the resulting response and recovery effort and to use the information to improve the organization’s response and recovery procedures. The information security manager may perform postevent reviews to identify causes and corrective actions with the help of third-party specialists if detailed forensic skills are needed. Review Manual Reference Page: pg. 279
  • #42 The American National Standards Institute (ANSI) has awarded accreditation under ISO/IEC 17024 to the Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certification programs. ANSI reaccredited these ISACA programs in 2008. ANSI’s accreditation: Promotes the unique qualifications and expertise our certifications provide Protects the integrity of our certifications and provides legal defensibility Enhances consumer and public confidence in the certifications and the people who hold them Facilitates the mobility of certified individuals across borders or industries Accreditation by ANSI signifies that ISACA’s procedures meet ANSI’s essential requirements for openness, balance, consensus and due process. To maintain ANSI accreditation, certification bodies such as ISACA are required to consistently adhere to a set of requirements or procedures related to quality, openness and due process. The American National Standards Institute (ANSI) is a private, nonprofit organization that administers and coordinates the US voluntary standardization and conformity assessment system. Its mission is to enhance both the global competitiveness of US business and the US quality of life by promoting and facilitating voluntary consensus standards and conformity assessments systems, and safeguarding their integrity. Importantly, this accreditation and adherence to ISO/IEC 17024 is being used as an industry benchmark. For example, the U.S. Department of Defense (DoD), to ensure a knowledgeable and skilled workforce, has developed a directive that requires every full and part-time military service member, defense contractor, civilian and foreign employee with privileged access to a DoD system, regardless of job series or occupational specialty, to obtain a commercial certification credential that has been accredited by the American national Standards Institute (ANSI). With this accreditation, we anticipate that significant opportunities for CISMs will continue to open in the US, and we believe it will be a strong motivator for similar recognition by governmental entities outside the US.