Accessing the Online Content

With this book, you get unlimited access to web-based CISM exam prep tools which include practice questions, flashcards, exam tips, and more. To unlock the content, you'll need to create an account using your unique sign-up code provided with this book. Refer to the Instructions for Unlocking the Online Content section in the Preface on how to do that.

If you've already created your account using those instructions, visit this link http://packt.link/cismexamguidewebsite or scan the following QR code to quickly open the website. Once there, click the Login link in the top-right corner of the page to access the content using your credentials.

In this chapter, you will learn about the practical aspects of information security incident management and understand the importance of building resilient business processes. You will also explore the practical aspects of business continuity, and disaster recovery...

An information security manager needs to have a basic understanding of the following tools and technologies for managing incidents:

• Incident management systems
• Personnel
• Audits
• Outsourced security providers

Incident Management Systems

In recent years, a high volume of data and activities has prompted organizations to invest in and adopt automated incident management systems (IMSs). Many previously manual processes are automated by these systems, which filter data to help identify potential incidents and alert the incident management team (IMT).

An IMS can be in the form of a distributed or a centralized system. In a distributed system, multiple devices are placed to monitor incidents. For example, network intrusion detection systems (NIDSs), host-based intrusion detection systems (HIDSs), logs, and so on.

Security information and event management (SIEM) is a centralized system. SIEM is an automatic log reader...

Security managers need to consider various aspects with respect to the execution of a response and recovery plan. For the smooth execution of the plan, it is very important to have defined roles and responsibilities for each individual. For the overall management of the plan, there should be a facilitator or director who is in charge of execution. This role should be assigned to a senior executive who has sufficient authority to make decisions during the crisis.

A security manager should consider the following aspects for the execution of the plan:

• To ensure that control procedures are implemented in such a way that risks are appropriately addresseFor example, the mere installation of anti-malware is not sufficient. Virus signature files should be updated at regulator intervals (ideally they should be automated to update daily). Any time gap between the updates can be subject to exposure.
• In the case of a malware-infected server...

Containment includes all activities and procedures undertaken to reduce the impact of an incident. The objective of containment is to stop the spread of the incident. It does not necessarily identify or correct the root cause of the incident. The following are some examples of containment:

• Removing the infected device from the network
• Escalation to relevant stakeholders
• Updating the firewall rules to block/deny/drop traffic

Because each incident is different, the methods used for containment must be tailoreThe responsibility for initiating a containment action should reside with a senior officer as it is critical to consider the benefits and drawbacks before initiating any action.

Practice Question Set 3

1. As an information security manager, you note that your organization is at risk of a ransomware attack. What is the most effective method to minimize the impact of a successful ransomware attack?
   1. Increase the number of information...

The primary objective of a communication plan is to educate employees on their roles and responsibilities with respect to the communication process. It includes processes such as who should authorize the communication, who should communicate, how to communicate, whom to communicate with, and what to communicate. A structured communication process during an incident improves the effectiveness of the incident response.

It is essential to define the various communication channels for the passing of information during an incident. Further, communication should be done only by authorized officials. This is to ensure that the chances of misunderstanding and disinformation are minimized to the greatest extent possible.

The list of official communication channels and authorized officials must be documented and communicated with each member. An information security manager should consider the availability of alternate communication channels in case...

As you learned previously in this chapter, the objective of the containment process is to stop the spread of an incident. The phase after containment is eradication. The objective of eradication is to identify and correct the root cause that led to the incident. Once containment efforts have been implemented successfully, eradication should be appropriately planned and performeThe following are some activities performed during eradication:

• Root cause analysis
• Updating the firewall and anti-virus to address any gaps
• Scanning the system to determine whether any vulnerabilities remain unnoticed

Practice Question Set 5

1. As an information security manager, you are required to determine the point from which the recovery point objective is calculateYour best choice would be:
   1. The point at which incident response is initiated
   2. As deemed fit by the recovery manager considering the crisis
   3. Before image restoration
   4. The point that aligns with the...

After the successful eradication of an incident, the next phase is recovery. The objective of the recovery phase is to ensure that the business is brought back to its original state by restoring the impacted systems.

While implementing recovery procedures, information security management needs to be careful and vigilant to ensure that the same vulnerabilities are not reintroduceOnce a system is compromised, there is no assurance that all abnormalities will be eradicateAn information security manager should avoid rushing to recover. Recovery procedures should be planned, tested, and implemented under the supervision of a senior official. The following are some activities performed during recovery:

• Configuration of the security baseline
• Testing
• Monitoring performance

Practice Question Set 6

1. As a newly appointed information security manager, you notice that an organization relies on the manual review of event logs to detect incidents. This leads...

The objective of a post-incident review is to learn from each incident and improve the organization's response and recovery procedures. Lessons learned during incident management can best be used to inform the overall improvement of the security posture of the organization as well as the incident management process.

During a post-incident review, the overall cost of the incident is determineCost includes loss or damage to infrastructure, loss of business, cost of recovery, and the cost of the resources used to handle the incident. This cost provides useful metrics to justify the existence of the incident management team.

Identifying the Root Cause and Taking Corrective Action

An information security manager should appoint an event review team. This team should be responsible for determining the root cause of the incident and suggesting the appropriate actions that should be taken to prevent any reoccurrence of the incident.

The most effective method to handle an incident is to lay down a structured process for incident management.

Figure 10.4: The preparedness of the incident management team

A well-defined incident management process will yield far better results in reducing business disruptions compared to unorganized incident management processes.

The Outcome of Incident Management

A security manager should understand that good incident management will have the following outcomes:

• The organization can effectively handle any unanticipated events.
• The organization will have robust detection techniques and processes for the timely identification of incidents.
• The organization will have well-defined criteria for defining the severity of incidents and an appropriate escalation process
• The availability of experienced and well-trained staff for effective handling of incidents
• The organization will have proactive processes...

The effectiveness and efficiency of the incident management process can best be measured through various metrics. Metrics are measures used to track and compare the performance of various processes. Metrics are generally developed in the form of key performance indicators (KPIs) and key goal indicators (KGIs).

Key Performance Indicators and Key Goal Indicators

KPIs are generally quantifiable measures used to measure an activity. For example, the percentage of incidents detected within 24 hours. KGIs can either be quantitative or qualitative depending upon the process. KGIs are intended to show progress toward a predefined goal. For example, a goal could be to install antivirus software on all systems within 1 month. This could be monitored on a daily basis. The KGI for day 1 would be 5%, day 2 would be 10%, day 3 would be 20%, and so on. KPIs should provide value to the process owner as well as management. They should not be too complex...

Every organization has some sort of incident management capability, either structured or unstructureThe information security manager must determine the current state of capability. This will help them understand the areas in need of further improvement. An information security manager can determine the current state in any of the following ways:

• The current state can be determined by conducting a survey of senior management, business managers, and IT employees. This will help them understand the perception of the focus group about incident management capabilities.
• The current state can also be determined by self-assessment. This can be done by comparing the current processes with some standard criteriIn this method, the views of other stakeholders are ignored, and this can be a major challenge.

The current state can be determined by external assessment or audit. This is the most comprehensive method as it involves...

In this chapter, you explored the practical aspects of information security incident management. This chapter will help CISM candidates understand the different types of incident management tools and techniques. You will be able to execute a response and recovery plan in a more effective manner. This chapter will also help you design incident management metrics and indicators and determine the current state of the organization's incident response capability. You also learned how, as a CISM candidate, you can implement different post-incident activities and investigations.

This book has discussed all four domains of the CISM Review Manual by ISACA and will have helped CISM aspirants gain a sufficient theoretical, as well as practical, understanding of those domains. Aspirants should now feel prepared to pass the CISM exam.

1. A security manager discovered an attempted SQL injection attack on an application. However, they could not determine whether it was successful. Who is in the best position to assess the possible impact of the attack?
   1. The application support team
   2. The incident response team
   3. The business process owner
   4. The network security team
2. What is the most important advantage of implementing a systematic and methodological incident management program?
   1. It reduces the cost of incident management
   2. It makes incident management more flexible
   3. It helps the responder gain experience
   4. It provides evidence of due diligence to support legal and liability claims
3. Once a virus incident has been resolved, the security manager will be most interested in knowing the:
   1. Configuration of the anti-malware software
   2. Other organizations impacted by the same virus
   3. Path of the virus's entry
   4. Author of the virus
4. What is the objective of reviewing the observations of staff involved in a disaster recovery...