CISM Certified Information Security Manager Firebrand Custom Designed Courseware
Chapter 4 Information Security Incident Management
Exam Relevance Ensure that the CISM candidate Establish an effective program to respond to and subsequently manage incidents that threaten an organization s information systems and infrastructure The content area in this chapter will represent approximately 18% of the CISM examination (approximately 36 questions). ISACA CISM Review Manual Page 220
Chapter 4 Learning Objectives Develop and implement processes for: Detecting Identifying Analyzing Responding To information security incidents ISACA CISM Review Manual Page 220
Learning Objectives cont. Incident Management process Establish a severity hierarchy for identification and response to security incidents Maintain an incident response plan Establish processes toidentify and investigate incidents Establish escalation and communications plans Develop a skilled team ISACA CISM Review Manual Page 220
Learning Objectives cont. Test and refine information security incident response plans Manage incident response Conduct post-incident reviews of security incidents to determine root cause, develop corrective actions and reassess risk Integrate incident response plans with business continuity plans (BCP) and disaster recovery plans (DRP) ISACA CISM Review Manual Page 220
Definition Incident Any event that has the potential to adversely impact the ability of the business to meet its objectives Incident management The capability to effectively manage unexpected disruptive events Minimize impacts Maintain and restore normal business operations within defined time limits ISACA CISM Review Manual Page 233
Definition Incident response The operational capability of incident management that identifies, prepares for and responds to incidents Provide forensic and investigative capabilities Restore normal operations as defined in service level agreements (SLAs) Manage the impact of unexpected disruptive events to acceptable levels ISACA CISM Review Manual Page 234
Definition Incident Management will ensure that incidents are detected, recorded and managed to limit impacts. ISACA CISM Review Manual Page 234
Goals of Incident Management and Response The goals of incident management and response include: The ability to deal effectively with unanticipated events Detection and monitoring capabilities to alert staff to a potential incident Effective notification and reporting to management A response plan that is aligned with business priorities ISACA CISM Review Manual Page 234
Goals of Incident Response cont. The ability to learn from past incidents and prevent future problems Regular testing and validation of the effectiveness of the plan ISACA CISM Review Manual Page 234
What is an Incident - Intentional Malicious code Unauthorized access to IT systems, facilities, information Unauthorized use of resources Unauthorized changes to systems, networks Denial of service (DOS) Surveillance, espionage Social Engineering Fraud ISACA CISM Review Manual Page 236
What is an Incident - Unintentional Equipment failure Utility failure (power) Software bugs Deletion of files Weather-related issues ISACA CISM Review Manual Page 236
Incident Response Team Members
Personnel An Incident Response Team usually consists of The Incident Manager (often an Information Security Manager) The Team Leader Steering committee/advisory board Provide oversight and authority ISACA CISM Review Manual Page 239
Personnel cont. An Incident Response Team usually consists of Permanent/dedicated team members Specialized skills forensics, audit, communications, legal Representation from key departments Operations, IT, HR, Finance, Security, Executive, etc. Virtual/temporary team members External experts ISACA CISM Review Manual Page 237
Personnel cont. The composition of the incident response team will depend on a number of factors such as Mission and goals of the incident response program Nature and range of services provided Available staff expertise Scope and technology base Anticipated incident load Severity or complexity of incident reports Funding Regulations and legal considerations ISACA CISM Review Manual Page 237
Team Member Skills The set of basic skills that incident response team members need can be separated into two broad groups: Personal skills Ability to handle stress Leadership skills Expertise based on the incident handler s daily activity. Technical skills Specialized skills in IT, communications, etc ISACA CISM Review Manual Page 238
Skills cont. Personal skills Communication Presentation skills Ability to follow policies and procedures Team skills Integrity Confidence Problem solving Time management ISACA CISM Review Manual Page 238
Skills cont. Technical skills Basic understanding of the underlying technologies used by the organization Understanding of the techniques, decision points and supporting tools required in incident management ISACA CISM Review Manual Page 239
Security Concepts and Technologies The following security concepts and technologies should be considered and known to IRTs Security principles Security vulnerabilities/ weaknesses The Internet Network protocols Network applications and services Network security issues Operating systems Malicious code Programming skills ISACA CISM Review Manual Page 237
Organizing, Training and Equipping the Response Staff Every incident response team member should get the following types of training: Induction to Incident response - basic information about the team and its operations Description of the team s roles, responsibilities and procedures On the job training Formal training ISACA CISM Review Manual Page 238
Review and Audit of Incident Response ISACA CISM Review Manual Page 240
Value Delivery To deliver value, incident management should: Integrate and align with business processes and structures Improve the capability of businesses to manage incidents effectively Integrate incident management with risk and business continuity Become part of an organization s overall strategy and effort to protect and secure critical business function and assets ISACA CISM Review Manual Page 241
Performance Measurement Performance measurements for incident management and response will focus on achieving the defined objectives and optimizing effectiveness Incident response time Application of lessons learned KPIs and KGIs should be defined and agreed upon by stakeholders and ratified by senior management ISACA CISM Review Manual Page 241
Reviewing the Current State of Incident Response Capability Survey of senior management, business managers and IT representatives Self-assessment External assessment or audit ISACA CISM Review Manual Page 243
Audits Audits (internal and external) must be performed to verify Incidents have been resolved and closed off Lessons learned applied to the organization Adherence by the incident response team to the policies and procedures defined by the organization ISACA CISM Review Manual Page 240
History of Incidents Past incidents provide valuable information on risk trends, threat types and business impact due to an incident Can be used to evaluate the existing plans Used as input to know the types of incidents that must be considered and planned for ISACA CISM Review Manual Page 244
Gap Analysis Basis for an Incident Response Plan Gap analysis compares current incident response capabilities with the desired level. The following may be identified: Processes that need to be improved to be more efficient and effective Resources needed to achieve the objectives for the incident response capability ISACA CISM Review Manual Page 245
Preparing the Incident Response Plan
Incident Management and Response The incident management and response structure should include: Incident Response Planning Business Continuity Planning Disaster Recovery Planning Recovery of IT systems
Incident Management and Response cont. Plans must be Clearly documented Readily accessible Based on the long range IT plan Consistent with the overall business continuity and security strategies
Incident Management and Response cont. Incident Response planning includes Incident detection capabilities (ability to recognize an event (false positive vs. real event) Clearly defined severity criteria (catastrophic, major, minor) Assessment and triage capabilities (determine extent of incident) Declaration criteria (activation of response teams)
Importance of Incident Management and Response Incident response is required since even minor incidents may: Affect business viability Develop into major incidents Require public communications plans Necessitate advising regulators, clients or other affected stakeholders Even the best controls cannot prevent all incidents ISACA CISM Review Manual Page 234
Incident Response Functions Detection and reporting Alerting, escalation Triage Containment, recovery Analysis Root cause, lessons learned Incident response team skills Necessary training and experience ISACA CISM Review Manual Page 234
Incident Management Technologies An effective incident management system should Monitor and consolidate inputs from multiple systems Identify incidents or potential incidents Prioritize incidents based on business impact Provide status tracking and notifications Integrate with major IT management systems Follow good practices guidelines ISACA CISM Review Manual Page 235
Responsibilities of the CISM Developing the information security incident management and response plans Handling and coordinating information security incident response activities Validating, verifying and reporting on the effectiveness of protective controls and countermeasure solutions Planning, budgeting and program development for all matters related to information security incident management and response ISACA CISM Review Manual Page 236
Incident Response Responsibilities The responsibilities of the incident response include: Managing the incident so that the impact is contained and minimal damage occurs Notifying the appropriate people and escalating the incident to management when required Recovering quickly and efficiently from security incidents Balancing operational and security needs ISACA CISM Review Manual Page 236
Incident Response Responsibilities cont. The responsibilities of incident response include: Responding systematically and decreasing the likelihood of cascading problems or incident recurrence Dealing with legal and law enforcement-related issues Ensuring that the incident response is documented Following up on lessons learned to enhance controls ISACA CISM Review Manual Page 236
Requirements for Incident Response Managers Have the leadership skills necessary to manage crisis teams Understand business priorities and culture Have the experience, knowledge, and the authority to invoke the disaster recovery processes necessary to maintain or recover operational status ISACA CISM Review Manual Page 236
Senior Management Involvement Senior management provides strategic direction during the crisis Reporting of the incident is escalated to senior management Decisions and direction are passed down to the incident management teams ISACA CISM Review Manual Page 236
The Desired State Incident management and response requires Well-developed monitoring capabilities for key controls Personnel trained in assessing the situation, capable of providing triage, and managing effective responses Managers that have made provisions to capture all relevant information and apply previously learned lessons ISACA CISM Review Manual Page 240
Strategic Alignment of Incident Response Incident management must be aligned with the organization s strategic plan Scope what incidents are the responsibility of the Incident response team Services services should be clearly defined Organizational structure Reporting and oversight Resources sufficient staffing and skills necessary for effective response Funding sufficient funding as required to manage incident response Management buy-in Senior management buy-in is essential ISACA CISM Review Manual Page 240
Creating a Detailed Incident Response Plan
Detailed Plan of Action for Incident Management The incident management action plan outlined in the CMU/SEI technical report titled Defining Incident Management Processes: Prepare/improve/sustain (prepare) Protect infrastructure (protect) Detect events (detect) Triage events (triage) Respond ISACA CISM Review Manual Page 242
Detailed Plan of Action for Incident Management - Prepare Prepare/improve/sustain (prepare) phase: Coordinate planning and design. Identify incident management requirements. Establish vision and mission. Obtain funding and sponsorship. Develop implementation plan. Coordinate implementation. ISACA CISM Review Manual Page 242
Detailed Plan of Action for Incident Management Prepare cont. Prepare/improve/sustain (prepare) phase Develop policies, processes and plans. Establish incident handling criteria. Implement defined resources. Evaluate incident management capability. Conduct postmortem review. Determine incident management process changes. Implement incident management process changes. ISACA CISM Review Manual Page 242
Detailed Plan of Action for Incident Management - Protect Protect infrastructure (protect) phase Implement changes to computing infrastructure to mitigate ongoing or potential incident. Implement infrastructure protection improvements from postmortem reviews or other process improvement mechanisms. Evaluate computing infrastructure by performing proactive security assessments and evaluations. Provide input to detect processes on incidents/potential incidents. ISACA CISM Review Manual Page 242
Detailed Plan of Action for Incident Management - Detect Detect events (detect) phase Proactive detection The detection process is conducted prior to incident alert. This will enable the response team to detect attack precursors, false negatives and emerging threats. Reactive detection The detection process is conducted when there are reports of possible incidents from system users or other organizations ISACA CISM Review Manual Page 242
Detailed Plan of Action for Incident Management - Triage Triage Requires initial gathering of incident data, incident severity determination, notification and activation of incident response team Can be done on two levels Tactical - Based on a set of criteria Strategic - Based on the impact of business ISACA CISM Review Manual Page 242
Detailed Plan of Action for Incident Management - Response Response Technical response Collecting data for further analysis Analyzing incident supporting information such as log files Technical mitigation strategies and recovery options Development and deployment of workarounds Management response Legal response ISACA CISM Review Manual Page 242
Elements of an Incident Response Plan Another approach to the development of an incident response plan Preparation Identification Containment Eradication Recovery Lessons learned ISACA CISM Review Manual Page 244
Crisis Communications One of the greatest challenges in a crisis is effective communications Internal Staff, management, business units External Business partners Shareholders General public Government and regulatory bodies Law Enforcement ISACA CISM Review Manual Page 248
Challenges in Developing an Incident Management Plan Unanticipated challenges may be the result of Lack of management buy-in and organizational consensus Mismatch to organizational goals and priorities Incident management team member turnover Poor communications Complex and wide plan ISACA CISM Review Manual Page 248
Responding to an Incident
When an Incident Occurs If an incident occurs: The Incident response team should follow the procedures set out in the Incident response plan Properly document (record and preserve) all information related to the incident Follow data/evidence preservation procedures Take precautions to avoid changing, altering or contaminating any potential or actual evidence ISACA CISM Review Manual Page 258
During an Incident The initial response to an incident should include: Retrieving information needed to confirm an incident False positive or real event Notify incident manager and activate incident response teams ISACA CISM Review Manual Page 258
During an Incident cont. Identifying the scope and size of the affected environment (e.g., networks, systems, applications) Contain the incident and minimize the potential for further damage Determining the degree of loss, modification or damage (if any) Identifying the possible path or means of attack Restore critical services ISACA CISM Review Manual Page 258
Containment Strategies During an incident it is critically important to contain the crisis and attempt to minimize the amount of damage that occurs. Network isolation and segmentation Fire doors and fire suppression Fail secure Multiple suppliers Multiple facilities Cross trained staff ISACA CISM Review Manual Page 258
The Battle Box Preloaded kits containing the tools and support materials needed by the response team in a crisis Flashlights Communications (radio, satellite phones) Battery Forms and documentation, pens Tools Protective clothing First aid kits Evidence collection bags
Evidence Identification and Preservation The CISM must know Requirements for collecting and preserving evidence Rules for evidence, admissibility of evidence, and quality and completeness of evidence The consequences of any contamination of evidence following a security incident Consider enlisting the help of third-party specialists if detailed forensic skills are needed ISACA CISM Review Manual Page 260
Post Event Reviews Post Event Reviews allow lessons learned to be applied to future incidents Use information gathered to improve response procedures Do reviews with all affected staff Follow up on all lessons ISACA CISM Review Manual Page 259
Business Continuity and Disaster Recovery Planning
Disaster Recovery Planning (DRP) and Business Recovery Processes Disaster recovery has traditionally been defined as the recovery of IT systems from disastrous events Business recovery (resumption) is defined as the recovery of the critical business processes necessary to continue or resume operations. ISACA CISM Review Manual Page 249
Development of BCP and DRP Each of these planning processes typically includes several main phases, including: Risk and business impact assessment Response and recovery strategy definition Documenting response and recovery plans Training all users and response teams Updating response and recovery plans Testing response and recovery plans Auditing response and recovery plans ISACA CISM Review Manual Page 249
Plan Development Plan development factors include: Pre-incident readiness Evacuation procedures How to declare a disaster Identifying the business processes and IT resources that should be recovered Identifying the responsibilities in the plan ISACA CISM Review Manual Page 249
Plan Development cont. Plan development factors include: Identifying contact information The step-by-step explanation of the recovery options Identifying the various resources required for recovery and continued operations Ensuring that other logistics such as personnel relocation and temporary housing are considered ISACA CISM Review Manual Page 250
Developing Response and Recovery Plans Factors to consider when developing response and recovery plans include: Available resources Expected services levels Types, kinds, and severity of threats faced by the organization ISACA CISM Review Manual Page 250
Recovery Strategies Recovery strategies must be sustainable for the entire period of recovery until business processes are restored to normal Strategies may include: Doing nothing until recovery facilities are ready Using manual procedures / workarounds Focusing on the most important customers, suppliers, products, and systems with resources that are still available ISACA CISM Review Manual Page 251
Recovery Strategies The most appropriate recovery strategy is based on: The ability to recover within acceptable recovery times at a reasonable cost Which recovery strategies are available Several options may be considered including outsourcing of certain functions ISACA CISM Review Manual Page 252
Basis for Recovery Strategy Selections Response and recovery strategy plans should be based on the following considerations: Interruption window RTOs RPOs Services delivery objectives (SDOs) Maximum tolerable outages (MTOs) / Maximum Tolerable Period of Disruption (MTPD) Location Nature of probable disruptions ISACA CISM Review Manual Page 252
Disaster Recovery Sites Types of offsite backup hardware facilities available include: Hot sites Warm sites Cold sites Mobile sites Duplicate information processing facilities Mirror sites ISACA CISM Review Manual Page 250
Disaster Recovery Sites cont. Criteria for selecting alternate sites for processing in the event of a disaster include: The recovery site should not be subject to the same disaster(s) as the primary site Availability of similar hardware /software Ability to move people and resources to the recovery location Ability to test the recovery strategy ISACA CISM Review Manual Page 250
Recovery of Communications Recovery of IT facilities involves telecommunications and network recovery Alternative / Diverse routing Long-haul network diversity Voice recovery Availability of appropriate circuits and adequate bandwidth Availability of out-of-band communications in case of failure of primary communication methods ISACA CISM Review Manual Page 254
Notification Requirements Plan should include a call tree with a prioritized list of contacts Representatives of equipment and software vendors Contacts within companies that have been designated to provide supplies and equipment or services Contacts at recovery facilities, including hot-site representatives or predefined network communications rerouting services ISACA CISM Review Manual Page 253
Notification Requirements cont. Plan should include a call tree with a prioritized list of Contacts at off-site media storage facilities and the contacts within the company who are authorized to retrieve media from the offsite facility Insurance company agents Contacts at human resources (HR) and/or contract personnel services Law enforcement contacts ISACA CISM Review Manual Page 253
Response Teams Number of teams depends upon size of organization and magnitude of operations - examples include: The emergency action team Damage assessment team Emergency management team Relocation team Security team ISACA CISM Review Manual Page 247
Insurance Types of insurance coverage IT equipment and facilities Media (software) reconstruction Extra expense Business interruption Valuable papers and records Errors and omissions Fidelity coverage Media transportation ISACA CISM Review Manual Page 255
Testing Response and Recovery Plans Testing must include: Developing test objectives Executing the test Evaluating the test Developing recommendations to improve the effectiveness of testing processes as well as response and recovery plans Implementing a follow-up process to ensure that the recommendations are implemented ISACA CISM Review Manual Page 256
Types of Tests Tests can include: Desk check / Table-top walk-through of the plans Table-top walk-through with mock disaster scenarios (simulation tests) Testing the infrastructure and communication components of the recovery plan Testing the infrastructure and recovery of the critical applications (parallel tests) Full restoration and recovery tests with some personnel unfamiliar with the systems ISACA CISM Review Manual Page 256
Test Results The test should strive to: Verify the completeness and effectiveness of the response and recovery plans Evaluate the performance of the personnel involved in the exercise Evaluate the coordination among the team members and external vendors and suppliers Indicate areas where improvements to the plan are necessary ISACA CISM Review Manual Page 256
Test Results cont. The test should strive to: Measure the ability and capacity of the backup site to perform required processing Ensure vital records / data can be retrieved Evaluate the state and quantity of equipment and supplies that have been relocated to the recovery site Measure the overall performance of operational and information systems related to maintaining the business entity ISACA CISM Review Manual Page 257
Plan Maintenance Activities The BCP and DR plans must be maintained through: Developing a schedule for periodic review and maintenance of the plan Updating plan with personnel changes, phone numbers and responsibilities or status within the company Updating the plan whenever significant changes have occurred Organizational change Results of tests or incidents ISACA CISM Review Manual Page 255
BCP and DRP Training Training must be provided for all staff dependent on their responsibilities: Develop a schedule for training personnel in emergency and recovery procedures Users Team members Local business unit liaisons
End of Chapter This concludes the 2016 CISM Course