Chapter 10: Overview of Information Security Incident Manager

In this chapter, we will provide an overview of information security incident management and understand the advantages of a structured and effective incident management process. In this chapter, CISM aspirants will be able to gain an understanding of different aspects of incident management.

The following topics will be covered in this chapter:

• Incident management overview
• Incident response procedure
• Incident management metrics and indicators
• The current state of the incident response capabilities
• Developing an incident response plan

Let’s understand each of these topics in detail.

Incident management overview

Incident management is defined as the process of handling disruptive events in a structured manner to minimize the impact of a business process. In most of the organization, the responsibility of developing and testing incident management lies with the information security manager.

Objectives of incident management

Security managers need to understand the following objectives of the incident management process:

• Detecting incidents early
• Accurately investigating the incident
• Containing and minimizing damage
• Being able to restore services early
• Determining the root cause and addressing the same to prevent reoccurrence

All these activities will lead to minimizing the impact the incident has on the organization.

Phases of the incident management life cycle

It is very important to have a structured and well-defined process to manage the incident. The following life cycle is recommended for effective incident management.

Phase 1 – Planning and preparation

The first phase is to prepare an incident management policy, assign roles and responsibilities, develop communication channels, create user awareness, and develop systems and procedures to manage the incidents.

An incident response plan is a very important document that includes a step-by-step process to be followed, along with assigned roles and responsibilities. An incident response plan helps the security manager handle incidents.

Phase 2 – Detection, triage, and investigation

The second phase is about detection techniques and processes such as the intrusion detection system (IDS), intrusion prevention system (IPS), and security information and event management (SIEM) tools and their implementation. Timely detection is of the utmost importance for an effective incident management process. A security manager needs to verify and validate the incident before any containment action is taken.

Triage means to decide the order of treatment based on its urgency. It is very important to prioritize the impact based on its possible impact. Quickly ranking the severity criteria of an incident is a key element of incident response. To determine the severity of an incident, it is recommended to consult the business process owner of the affected operations.

Phase 3 – Containment and recovery

The next phase is executing the containment process for the identified incident. Containment means taking some action to prevent the expansion of the incident. Incident response procedures primarily focus on containing the incident and minimizing damage. For example, when a virus is identified in a computer, the first action should be containing the risk; that is, disconnecting the computer from the network so that it does not impact other computers.

After successful containment, forensic analysis must be performed, ensuring a proper chain of custody. Chain of custody is a legal term that requires that evidence is handled properly to ensure its integrity. In the case of major incidents, the recovery procedure should be executed as per the business continuity plan and disaster recovery plan.

Phase 4 – Post-incident review

This phase will help evaluate the cause and impact of the incident. It also helps you understand the loopholes in the processes. It provides you with the opportunity to improve based on lessons learned.

Phase 5 – Incident closure

This phase is about evaluating the effectiveness of the incident management process. The final report is submitted to management and other stakeholders.

In the next section, we will discuss the relationship between incident management, business continuity, and disaster recovery.

Incident management, business continuity, and disaster recovery

The security manager should understand the relationship between incident management, business continuity, and disaster recovery. The incident management process is generally the first step when an adverse incident is identified. The goal of an incident management process is to prevent incidents from becoming disasters. Incidents vary in nature, extent, and impact.

Minor incidents can be effectively handled by the incident management process. However, there can be incidents that lead to major business disruptions and, in such cases, the organization needs to activate their business continuity plan (BCP) and disaster recovery plan (DRP) processes. Responsibility for declaring a disaster should be entrusted to an individual at the senior level who has enough experience to determine the impact of the incident on business processes. This responsibility for declaring a disaster should be determined when the incident response plan is established. The business continuity and disaster processes involve activating an alternate recovery site.

Incident management and service delivery objective

Service delivery objective (SDO) is the service level required to be maintained during a disruption. For example, during the normal course of operations, an organization provides a service to 100 clients. The organization wants to provide a continuous service to the top 20 clients, even during business disruption. In this case, the service delivery objective is the top 20 clients. The SDO should be sufficient to sustain the credibility of the organization.

The primary focus of incident response is to ensure that the defined service delivery objectives are achieved. The acceptability of partial system recovery after a security incident is most likely based on the SDO. The SDO also has a direct impact on the level and extent to which data restoration is required.

Maximum tolerable outage (MTO) and allowable interruption window (AIW)

The maximum tolerable outage (MTO) is the maximum time that an organization can operate from an alternate site. Various factors affect the MTO, such as location availability, resource availability, raw material availability, or electric power availability at an alternate site, as well as other constraints. The RTO is determined based on the MTO.

For example, a disaster occurred on January 1, and from January 2 onward, the service was made available to 20% of the clients (that is, the SDO) from an alternate site. However, the organization can only operate from an alternate site for 2 months due to location constraints. These 2 months are considered the MTO.

The allowable interruption window (AIW) is the maximum time for which normal operations of the organization can be down. After this point, the organization starts to face major financial difficulties that threaten its existence. Let’s continue with the preceding example where, if, within 2 months of a disaster, the main site is not made operational, the organization will not be able to sustain itself due to financial scarcity. This indicates that the organization only has financial capabilities for 2 months. These 2 months are considered the AIW.

The security manager should try to ensure that the MTO is equal to or higher than the AIW. Generally, the MTO should be as long as the AIW to minimize the risk to the organization. This means that arrangements for an alternate site should be made at least until the organization has financial stability.

Key aspects from the CISM exam’s perspective

The following are some of the key aspects from the exam’s perspective:

Practice questions

1. Which of the following plans will best support the security manager in handling a security breach?

   A. Change management plan

   B. Business continuity plan

   C. Incident response plan

   D. Disaster recovery plan

   Answer: C. Incident response plan.

   Explanation: The incident response plan includes a detailed procedure for handling the incident. It also includes detailed roles and the responsibilities of different teams to handle the incident. A security breach can be best handled by using an incident response plan. The BCP and DRP will be applicable when an incident becomes a disaster and an alternate site must be activated. The change management plan is used to manage the changes and does not directly impact how a security breach is handled.

2. The security manager has been informed about a fire in the facility. What should be his course of action?

   A. To check the facility access log

   B. To call a meeting with the emergency response team

   C. To activate the business continuity plan

   D. To activate alternate site operations

   Answer: A. To check the facility access log.

   Explanation: The first step should be to check the facility access log and determine the number of employees in the facility. They should be evacuated on an emergency basis. The safety of people should always come first. The other options are secondary actions.

3. What is the most effective way to address the risk of network denial of service (DoS) attacks?

   A. Regularly updating operating system patches

   B. Installing a packet filtering firewall to drop suspect packets

   C. Employing NAT to make the internal address non-routable

   D. Employing load balancing devices

   Answer: B. Installing a packet filtering firewall to drop suspect packets.

   Explanation: In a DoS attack, numerous packets are sent to a particular IP address to disrupt the services. Installing a packet filtering firewall will help drop the suspected packets and thus reduce network congestion caused by the DoS attack. Patching the OS will not affect network traffic. Implementing NAT or load balancing would not be as effective in addressing the DoS attack.

4. An incident was reported about a stolen laptop. What should be the first course of action of the security manager?

   A. To determine the impact of the information loss

   B. To remove the stolen laptop from the inventory list

   C. To ensure compliance with reporting procedures

   D. To remove access for the user immediately

   Answer: C. To ensure compliance with reporting procedures.

   Explanation: The first step is to initiate the reporting process, as defined in the incident response procedure. The incident response procedure may include submitting a report to the police authorities, wiping out data remotely, removing users, and so on. Determining the impact and removing the item from the inventory list are subsequent actions.

5. When should the person responsible for declaring the disaster be established?

   A. At the time the plan was established

   B. After the incident is confirmed by the security team

   C. After the incident management plan has been tested

   D. After the incident management plan has been approved

   Answer: A. At the time the plan was established.

   Explanation: Roles and responsibilities should be assigned at the time of preparing the plan. An unclear plan will have an adverse impact when executing the plan. Without assigned roles and responsibilities, testing and approval will not be effective.

6. Apart from backup data, an offsite site should also store what?

   A. The contact details of the key supplier

   B. Copies of the business continuity plan

   C. Copies of key service-level agreements

   D. The contact details of key employees

   Answer: B. Copies of the business continuity plan.

   Explanation: The BCP contains a step-wise process to ensure continuity of the business from an alternate site. Without a copy of the BCP, recovery efforts may not be effective. Generally, the BCP includes contact details of key employees, suppliers, and key service-level agreements.

7. When an incident is reported, what should be the priority of the security manager?

   A. Investigation

   B. Documentation

   C. Restoration

   D. Containment

   Answer: D. Containment.

   Explanation: Containment means taking some action to prevent the expansion of the incident. Incident response procedures primarily focus on containing the incident and minimizing damage. For example, when a virus is identified in a computer, the first action should be containing the risk; that is, disconnecting the computer from the network so that it does not impact other computers. The other options are subsequent actions.

8. What area is of the most concern for a security manager?

   A. Logs are not captured for the production server.

   B. The access rights of a terminated employee are not deactivated.

   C. An increase in incident reporting concerning phishing emails.

   D. A Trojan horse installed on the system administrator’s computer.

   Answer: D. A Trojan horse installed on the system administrator’s computer.

   Explanation: A Trojan horse is a type of illegitimate software that is often disguised as legitimate software. It is a type of malware. Trojans are used by intruders to attempt to gain unauthorized access to an organization’s network and systems. Finding a Trojan horse in an administrator’s computer is a major concern as the administrator will have privileged access, which can be exploited. The other options are serious issues but not as significant as a Trojan horse.

9. What area is of most concern for a security manager?

   A. Anti-malware software is updated daily.

   B. Security logs are reviewed after office hours.

   C. It takes 24 hours to update patches after their release.

   D. It takes 6 days to investigate the security incidents.

   Answer: D. It takes 6 days to investigate the security incidents.

   Explanation: A delay in an investigation is of major concern as it can have a major impact on business processes. The other options do not pose significant risks.

10. Management’s requirement for a quick incident resolution _________.

    A. always gives positive results

    B. often clashes with effective problem management

    C. increases the attrition rate of the security team

    D. supports the forensic investigation

    Answer: B. often clashes with effective problem management.

    Explanation: One of the most important objectives of problem management is to understand the root cause of the incident and address the same so that the same type of incident does not reoccur. Merely restoring the service at the earliest juncture is not the solution. Hence, if the incident is to be closed within a strict timeline, then this aspect may be missed. Quick resolution may not always give positive results. Forensics is concerned with evidence, analysis, and preservation from a legal perspective and is not concerned with service continuity.

11. The security manager has noted that a network attack is in progress. What should be his course of action?

    A. Disconnecting all network access points

    B. Analyzing the event logs

    C. Isolating the impacted network

    D. Monitoring the attack to trace the perpetrator

    Answer: C. Isolating the impacted network.

    Explanation: The most important action is to isolate the network and contain the spread of the attack. Disconnecting all the network access points will impact business processes and should be the last resort. Analyzing and monitoring are subsequent actions.

12. The emergency response plan should primarily concentrate on what?

    A. Protecting sensitive data

    B. Protecting the infrastructure

    C. The safety of personnel

    D. Activating the recovery site

    Answer: C. The safety of personnel.

    Explanation: The safety of human life is of the topmost priority for any emergency response plan.

13. What is the most important aspect of an incident response policy?

    A. Details of the key supplier

    B. Escalation criteria

    C. Communication process

    D. Backup requirements

    Answer: B. Escalation criteria.

    Explanation: The escalation criteria include specific actions to be followed, as per the predefined timelines. It also includes the defined roles and responsibilities of individual team members. To smoothly execute incident response, it is of the utmost importance to follow the escalation criteria.

14. The security manager has noted a security incident. What should be his next course of action?

    A. Inform senior management

    B. Determine the impact of a compromise

    C. Report the incident to the stakeholders

    D. Investigate the root cause of the security breach

    Answer: B. Determine the impact of a compromise.

    Explanation: The first course of action is to determine how much of an impact this will have on the organization. Even while reporting to senior management and other stakeholders, the extent of compromise needs to be submitted.

15. The security manager has noted that a computer has been infected with a virus. What should be their first course of action?

    A. Determine the source of the virus infection

    B. Scan the entire network to determine whether another device is infected

    C. Disconnect the computer from the network

    D. Format the hard disk

    Answer: C. Disconnect the computer from the network.

    Explanation: The first step is to contain the spread of the virus by disconnecting the infected computer. The other options are subsequent steps.

16. What is the main objective of incident response?

    A. To provide the status of the incident to senior management

    B. To evaluate the evidence

    C. To minimize business disruptions

    D. To support authorities in their investigation

    Answer: C. To minimize business disruptions.

    Explanation: The main objective of incident response is to contain the incident, thereby minimizing damage. The other options are not the primary objectives of incident response.

17. The security manager has noted that the email server has been compromised at the administrative level. What is the best way to make the system secure?

    A. To change the administrative password of the system

    B. To configure 2-factor authentication

    C. To rebuild the system from the original media

    D. To isolate the server from the network

    Answer: C. To rebuild the system from the original media.

    Explanation: Due to a compromise at the administrative level, malware may be installed on the server. The best way is to rebuild the email server from the original media. This will address the risk of the presence of any hidden malware. Isolation is a temporary solution. Changing the password and 2-factor authentication will not be able to address the hidden virus in the email server.

18. A business continuity program is primarily based on what?

    A. The cost of building an offsite recovery site

    B. The cost of the unavailability of the system

    C. The cost of the incident response team

    D. The cost of the disaster recovery team

    Answer: B. The cost of the unavailability of the system.

    Explanation: Unavailability of the system due to a disaster may result in a loss to the organization. Loss due to the unavailability of a system increases daily. A business continuity program is considered based on this loss. Based on the unavailability of the system. RTO, RPO, and recovery sites are finalized. The other options do not directly impact the business continuity program.

19. Which of the following documents is the most important to include in the computer’s incident response team manual?

    A. Results of risk analysis

    B. Incident severity criteria

    C. Details of key suppliers

    D. Call tree directory

    Answer: B. Incident severity criteria.

    Explanation: It is very important to prioritize the impact based on its possible effect. Quickly ranking the severity criteria of an incident is a key element of incident response. The other details are not included in the computer incident response team manual as they will be included in the BCP.

20. The security manager has noted that a server is infected with a virus. What is the most important action to take here?

    A. Immediately isolate the server from the network

    B. Determine the possible impact of the infection

    C. Determine the source of virus entry

    D. Determine a security loophole in the firewall

    Answer: A. Immediately isolate the server from the network.

    Explanation: The most important action is to isolate the server and contain any further spread of the virus. The other options are subsequent actions.

21. What is the primary purpose of the incident response procedure?

    A. Containing incidents to reduce damage

    B. To determine the root cause of the incident

    C. To implement corrective control to prevent reoccurrence

    D. To maintain records of the incident

    Answer: A. Containing incidents to reduce damage.

    Explanation: Containment means taking some action to prevent the expansion of the incident. Incident response procedures primarily focus on containing the incident and minimizing damage. The other options also lead to minimizing damage.

22. What is the most important objective of incident management?

    A. To contain

    B. To conduct root cause analysis

    C. To eradicate

    D. To control the impact

    Answer: D. To control the impact.

    Explanation: The main objective of incident management is to minimize the damage to the organization. Containment, root cause, and eradication are the steps to minimize the damage.

23. The severity of the incident can be best determined by which of the following?

    A. Analyzing past incidents

    B. Benchmarking with a similar industry

    C. The value of the impacted asset

    D. Involving managers from affected operational areas

    Answer: D. Involving managers from affected operational areas.

    Explanation: The severity of the incident can be best determined based on the level of impact on the organization. The manager of the affected operational areas will be in the best position to determine the impact. Past incidents and benchmarking will not give an accurate impact. Valuation is based on the total business impact and not only on asset value.

24. The security manager is developing an incident response plan. What should be his first step?

    A. Determining the time required to respond to the incident

    B. Determining the escalation process

    C. Determining the resource requirement

    D. Determining the category of the incident based on its likelihood and impact

    Answer: D. Determining the category of the incident based on its likelihood and impact.

    Explanation: The first step should be to determine the various categories of the incidents based on their likelihood and impact. Based on the category, other options such as turnaround time, escalation process, and required resources can be determined.

25. What is the main objective of incident management and response?

    A. Restore the disruptive processes within a defined time frame

    B. Conduct a walk-through to recover from an adverse event

    C. Comply with the insurance coverage clause

    D. Address the event to control the impact within an acceptable level

    Answer: D. Address the event to control the impact within an acceptable level.

    Explanation: The main goal of an incident management process is to restrict the incidents from growing into problems and problems growing into disasters. Restoring disruptive processes is the objective of the disaster recovery procedure.

26. What is the most effective factor in any incident management process?

    A. The capability to detect the incident

    B. The capability to respond to the incident

    C. The capability to classify the incident

    D. The capability to document the incident

    Answer: A. The capability to detect the incident.

    Explanation: Timely detection is of the utmost importance for an effective incident management process. The other options are not as significant as the capability to detect the incident.

27. The security manager noted that incident reports from different business units are not consistent and correct. What should be his first course of action?

    A. To determine whether a clear incident definition and criteria for severity exist

    B. To implement a training program for all the employees of the organization

    C. To escalate the issue to senior management for appropriate action

    D. To impose a heavy penalty for an inconsistent approach

    Answer: A. To determine whether a clear incident definition and criteria for severity exist.

    Explanation: The first step is to determine whether an organizational-level incident management procedure exists. If not, this should be done on priority. The other options are secondary actions.

28. What is the best way to detect security violations in a timely and effective manner?

    A. To develop a structured communication channel

    B. To conduct a third-party audit of incident reporting logs

    C. To implement an automatic compliance monitoring system

    D. To enable anonymous reporting

    Answer: A. To develop a structured communication channel.

    Explanation: The organization should have well-defined communication channels for timely communication concerning incidents to different stakeholders and external parties. Channel should support two-way communication; that is, employees should be able to communicate with the incident management team and management should be able to communicate with employees. Having an ineffective communication process is a major challenge as incomplete or untimely communication will cause hurdles in the incident handling process. The other options are not as significant as the communication channel.

29. What is an area of major concern for a risk-based incident response program?

    A. Fraud due to collusion among employees

    B. Poor quality of investigations

    C. Reduction in false positive alerts

    D. Repeated low-risk events

    Answer: D. Repeated low-risk events.

    Explanation: In a risk-based approach, the focus is on high-risk events. Perpetrators may take advantage of this and concentrate on exploiting low-risk areas multiple times. Even though the impact of the event is small per incident, accumulated damages may be much higher. Hence, it is also important to review the possibility of the repeated occurrence of low-risk events.

30. The security manager has noted that a server has been compromised and sensitive data has been stolen. After confirming the incident, the next step is to do what?

    A. Report this to law enforcement

    B. Start containment

    C. Ensure the availability of backup data

    D. Disconnect the affected server

    Answer: B. Start containment.

    Explanation: Containment means taking some action to prevent the expansion of the incident. Incident response procedures primarily focus on containing the incident and minimizing damage. Disconnecting the server is part of the containment process. The other options are subsequent steps.

31. In which of the following plans is proactive security assessment and evaluation done for computing infrastructure?

    A. Business continuity plan

    B. Business impact analysis

    C. Incident management plan

    D. Disaster recovery plan

    Answer: C. Incident management plan.

    Explanation: The objective of the incident management plan is to not only recover from an incident that has already occurred, but to take actions to prevent the incident. The incident management plan should include a proactive security assessment to improve the processes and reduce the chances of the incident occurring. The BCP and DRP concentrate on activities that deal with business interruption due to disaster. The BIA is used to determine the critical processes of the organization.

32. What is the most effective way to determine the impact of a denial-of-service attack?

    A. To determine the source of the attack

    B. To determine the number of hours that the attack was active for

    C. To determine the criticality of the affected services

    D. By reviewing the firewall logs

    Answer: C. To determine the criticality of the affected services.

    Explanation: The business impact can be best determined by knowing the criticality of the affected system. The other options will not help determine the impact.

33. What is the most effective way to monitor outsourced incident management functions?

    A. Frequently testing the plan and a dedicated team to provide any oversights

    B. The availability of the documented plan from the service provider

    C. A structured communication channel

    D. Frequently auditing the service provider’s functions

    Answer: A. Frequently testing the plan and a dedicated team to provide any oversights.

    Explanation: Testing the plan will help you understand the capability of the service provider to address the incidents. Also, it is important to have an oversight team to monitor the activity of the service provider. Audits, structured communication channels, and documented plans are also important aspects, but in the absence of a tested plan, it is difficult to determine the capabilities of the service provider.

34. What is the most important aspect while defining the incident response procedures?

    A. Closing the incident within a defined timeline

    B. Minimizing the number of incidents

    C. Collecting evidence for the audit

    D. Meeting service delivery objectives

    Answer: D. Meeting service delivery objectives.

    Explanation: The incident response procedure should support the service delivery objective. This is the extent of the service’s operational capability to be maintained during an incident. The other options are not as significant as supporting the service delivery objectives.

35. After an incident, the security manager has noted that full system recovery will take a longer time than normal. His efforts are concentrated on partially recovering the system. This level of partial system recovery is most likely based on what?

    A. The capability of the recovery manager

    B. The maximum tolerable outage

    C. The service delivery objective

    D. The availability of a recovery budget

    Answer: C. The service delivery objective.

    Explanation: The SDO is the extent of the service’s operational capability to be maintained from an alternate site. The SDO is directly related to business needs and is the level of service to be attained during disaster recovery. This is influenced by business requirements. The MTO and available budget are determined based on the SDO.

36. The security manager has noted that the BCP has not been updated in the last 5 years and that the maximum tolerable outage (MTO) is much shorter than the allowable interruption window (AIW). What should be their course of action?

    A. Take no action as the same has already been approved by business management

    B. Conduct a fresh business impact analysis and update the plan

    C. Increase the maximum tolerable outage

    D. Decrease the allowable interruption window

    Answer: B. Conduct a fresh business impact analysis and update the plan.

    Explanation: Generally, the MTO should be as long as the AIW. However, without conducting the business impact analysis, there is no way to determine whether the MTO or AIW is incorrect. Based on a fresh business impact analysis (BIA), the AIW will be arrived at. AIW is the maximum time that the normal operations of the organization can be down for. After this point, the organization starts facing major financial difficulties that threaten its existence. Based on the AIW, the MTO should be arrived at. The maximum tolerable outage is the maximum time that an organization can operate from an alternate site. Various factors affect the MTO, such as location availability, resource availability, raw material availability, or electric power availability at alternate sites, as well as other constraints. All these constraints should be addressed to ensure that the MTO is as long as the AIW.

37. Incident management supports the organization by doing what?

    A. Removing external threats

    B. Optimizing the risk management efforts

    C. Streamlining the recovery plans

    D. Structuring the reporting process

    Answer: B. Optimizing the risk management efforts.

    Explanation: Incident management is a component of risk management that focuses on preventing and containing the adverse impact of incidents. Incident management does not remove these threats. The other options are not the primary objective of incident management.

38. Which of the following is determined the priority of incident response activities?

    A. Disaster recovery plan

    B. Business continuity plan

    C. Security team structure

    D. Business impact analysis

    Answer: D. Business impact analysis.

    Explanation: The BIA determines the critical processes of the organization. Incident response activities primarily focus on protecting the critical processes of the organization. The other options do not impact the prioritization of incident response activities.

39. The data restoration plan is primarily based on what?

    A. Transaction processing time

    B. Backup budget

    C. Service delivery objective

    D. Data restoration software

    Answer: C. Service delivery objective.

    Explanation: The data restoration plan determines how much data will be restored within a predefined limit. The extent of data restoration is primarily based on the SDO. This is the extent of the service’s operational capability to be maintained from an alternate site. The service delivery objective is directly related to business needs and is the level of service to be attained during disaster recovery. This is influenced by business requirements.

40. What is the most important factor for a global organization to ensure the continuity of a business in an emergency?

    A. Documenting delegation of authority at an alternate site

    B. Documenting key process documents at an alternate site

    C. Documenting the key service provider at an alternate site

    D. Support from senior management

    Answer: B. Documenting key process documents at an alternate site.

    Explanation: Continuity can be best ensured if personnel who have to resume the key processes are aware of the procedure. If procedural documents are not available at an alternate site, it will hamper the continuity arrangement. If the key process documents are made available at an offsite location, they can be utilized by employees operating from the offsite location during a disaster. This documentation will also support employees who may not typically be involved in performing those functions. The other options are not as significant as key process documents.

Incident response procedure

The most effective way to handle an incident is to lay down a structured process for incident management. On a lighter note, the following figure indicates the preparedness of the incident management team:

Figure 10.1 – Incident team

A well-defined incident management process will yield far better results in reducing business disruptions compared to unorganized incident management processes.

The outcome of incident management

The security manager should understand that good incident management will have the following outcome:

• The organization can effectively handle any unanticipated events.
• The organization will have robust detection techniques and processes for identifying incidents.
• The organization will have well-defined criteria for defining the severity of the incident and the appropriate escalation process.
• The availability of experienced and well-trained staff to effectively handle the incidents.
• The organization will have proactive processes to manage the risk of incidents in a cost-effective manner.
• The organization will have well-defined metrics to monitor the response capabilities and incident management’s performance.
• The organization will have well-defined communication channels for timely communication concerning incidents for different stakeholders and external parties.
• The organization will have a well-defined process to analyze the root cause of the incident and address any gaps to prevent their reoccurrence.

The role of the information security manager

The extent to which the security manager is involved in managing incidents varies in different organizations. However, for any information security-related incident, the prime responsibility of handling the incident resides with the information security manager.

To manage security incidents, the information security manager should have a good conceptual understanding of the incident management procedures. They should also have a thorough understanding of the business continuity and disaster recovery processes. This will ensure that the incident management plan is integrated with the overall business continuity and disaster recovery plan.

Security Information and Event Management (SIEM)

A Security information and event management (SIEM) system collects data from various sources and analyses the same for possible security events.

The SIEM system can detect attacks by signature or behavior (heuristics)-based analysis. SIEM can perform granular assessments. SIEM can highlight the developing trends and can alert the risk practitioner for immediate response. SIEM is the most effective way to determine aggregate risk from different sources. SIEM is the best way to counter advanced persistent threats. On a lighter note, the importance of log capturing and monitoring can be seen from the following figure:

Figure 10.2 – SIEM

The following are some of the characteristics of an effective SIEM:

• It can consolidate and correlate inputs from different systems.
• It can identify incidents.
• It can notify staff.
• It can prioritize incidents based on the possible impact.
• It can track the status of each incident.
• It can integrate with other IT systems.

Thus, SIEM can provide information on policy compliance, as well as incident monitoring and other capabilities if they’re deployed, configured, and tuned.

A properly installed SIEM system will help automate the incident management process and lead to considerable cost savings by minimizing the impact of the incidents. Though SIEM may be costly, it helps to save on the operating costs of manual processes (in place of SIEM) and recovery costs (by detecting incidents early).

SIEM helps to identify the incidents by way of log analysis based on predefined rules. One of the most important challenges of implementing SIEM is to reduce false-positive alerts. The most effective way to reduce false-positive alerts is to develop business use cases. The business use case documents the entire workflow, which provides the required results. The scenario business case would focus on the ability of SIEM to analyze the logs for known threats.

Key aspects from the CISM exam’s perspective

The following are some of the key aspects from the exam’s perspective:

Practice questions

1. What is the best way to reduce the false-positive alerts of a security information and event management system?

   A. Build business cases

   B. Analyze the network traffic

   C. Conduct a risk assessment

   D. Improve the quality of logs

   Answer: A. Build business cases.

   Explanation: One of the most important challenges associated with implementing SIEM is to reduce the false-positive alerts. The most effective way to reduce false-positive alerts is to develop business use cases. The business use case documents the entire workflow, which provides the required results. In this scenario, the business case would focus on the ability of SIEM to analyze the logs for known threats. The other options are components for developing the business case.

2. What is the most effective way to utilize security information and event management (SIEM)?

   A. SIEM supports compliance with security policies.

   B. SEIM is used to reduce the residual risk.

   C. SEIM replaces the packet filtering firewall.

   D. SEIM promotes the compensating controls.

   Answer: A. SIEM supports compliance with security policies.

   Explanation: SIEM helps to identify the incidents by way of log analysis based on predefined rules. SIEM can provide information on policy compliance as well as incident monitoring and other capabilities if they’re properly deployed, configured, and tuned. SIEM is not meant to reduce the residual risk, replace the firewall, or promote compensating controls.

3. Advanced persistent threats can be most effectively countered by which of the following?

   A. An intrusion detection system

   B. A security information and event management system

   C. An automated penetration test

   D. A comprehensive network management system

   Answer: B. A security information and event management system.

   Explanation: The SIEM system collects data from various sources and analyzes the same for possible security events. The SIEM system can detect attacks via signature or behavior (heuristics)-based analysis. SIEM can perform granular assessments. SIEM can highlight the developing trends and can alert the risk practitioner for an immediate response. SIEM is the most effective method for determining aggregate risk from different sources. The other options are not as effective as SIEM.

Incident management metrics and indicators

The effectiveness and efficiency of the incident management process can be best measured through various metrics. Metrics are measures that are used to track and compare the performance of various processes. Metrics are generally developed in the form of key performance indicators (KPIs) and key goal indicators (KGIs).

Key performance indicators and key goal indicators

KPIs are generally quantifiable measures that are used to measure activity; for example, the percentage of incidents detected within 24 hours). KGIs can be either quantitative or qualitative, depending on the process. KGIs are intended to show the progress of a predefined goal. For example, a goal can be to install antivirus on all the systems within 1 month. This can be monitored daily. The KGI can be 5%, for day 1 10%, for day 2 20% for day 3, and so on. KPIs should be able to provide value to the process owner, as well as management. KPIs should not be too complex to understand, as shown in the following figure:

Figure 10.3 – KPIs

Defined KPIs and KGIs should be agreed upon by the relevant stakeholders and approved by senior management.

Metrics for incident management

The metrics for incident management help the security manager understand the capabilities of the incident management processes and further areas for improvement. The following are some of the metrics for measuring the performance of incident management processes:

• Number of reported incidents
• Number of detected incidents
• Average time to detect the incident
• Average time to close the incident
• Percentage of incidents resolved successfully
• Number of employees trained on security awareness
• Trends indicating the total damage over the period

These metrics should help the organization achieve defined objectives efficiently and cost-effectively. Defined KPIs and KGIs should be agreed upon by the relevant stakeholders and approved by senior management.

Reporting to senior management

Key metrics should be reported to senior management frequently. It helps senior management understand the capabilities of the incident management processes and their gaps (if any).

The current state of the incident response capabilities

Every organization has some sort of incident management capability, either structured or unstructured. The information security manager must determine the current state of this capability. This will help them understand the areas for further improvement. The information security manager can determine the current state in any of the following ways:

• The current state can be determined by surveying senior management, business managers, and IT employees. This will help them understand the perception and focus of the group on incident management capabilities.
• The current state can also be determined by way of self-assessment. This can be done by comparing current processes with some standard criteria. However, in this method, the views of the other stakeholders are ignored, and this can be a major challenge.
• The current state can be determined by way of external assessment or audit. This is the most comprehensive method as it involves interviews, simulations, benchmarking with best practices, and other aspects. This approach is generally used by an organization with adequate incident response capabilities that wants to improve its processes.

It is also important for the security manager to have a thorough understanding of the history of incidents.

History of incidents

Past incidents can provide valuable information about trends, business impacts, and incident response capabilities. This information can be used to prepare a strategy for future incidents.

Threats and vulnerabilities

The security manager should understand the basic difference between a threat and a vulnerability, as follows:

Let’s understand the responsibility of the security manager for threat and vulnerability assessment.

Threats

The key responsibility of a security manager is to ensure that various types of threats that can be applied to an organization are identified and documented. Threats that are not identified are more vulnerable than a threat that is well documented.

The following are some sources of threats:

• Environmental threats such as natural disasters
• Technical threats such as electric failure, fire, and IT issues
• Man-made threats such as corporate sabotage, disgruntled employees, and political instability

Sources of threat identification include past incidents, audit reports, media reports, information from national computer emergency response teams (CERTs), data from security vendors, and communication with internal groups. Risk scenarios are used at the time of the threat and vulnerability assessment to identify various events and their likelihood and impact.

Vulnerability

Vulnerabilities are security weaknesses. The existence of a vulnerability is a potential risk. It represents a lack of adequate controls. The security manager should conduct regular vulnerability assessments and bridge the gap before they are found by an adversary and exploited. Vulnerability management is a proactive way to ensure that incidents are prevented.

Developing an incident response plan

An incident response plan (IRP) is one of the most important components of incident management. The incident response plan determines the activities to be carried out in case of an incident. The incident response plan includes different processes for handling the incident, along with assigned roles and responsibilities for managing the incident.

Elements of an IRP

The security manager should understand the following stages when developing an incident response plan.

Preparation

Preparing the incident response plan in depth helps it execute smoothly. The following activities are carried out in the preparation phase:

• Defining processes to handle the incidents
• Developing criteria for deciding on the severity of the incident
• Developing a communication plan with stakeholders
• Developing a process to activate the incident management team

Identification and triage

In this phase, emphasis is put on the identification and detailed analysis of the incident. The following activities are carried out in the identification phase:

• Determining whether the reported incident is valid
• Assigning the incident to a team member
• Detailed analysis of the incident
• Determining the severity of the incident and following the escalation process

Triage means to decide on the order of treatment based on its urgency. It is very important to prioritize the impact based on its possible impact. Quickly ranking the severity criteria of an incident is a key element of incident response. To determine the severity of an incident, it is recommended to consult the business process owner of the affected operations.

Triage provides a snapshot of the current status of all incidents reported to assign resources according to their criticality.

Containment

In this phase, the incident management team coordinates with the business process owner to perform a detailed assessment and to contain the impact of the incident. The following activities are carried out in the containment phase:

• Coordination with the relevant business process owner
• Deciding on the course of action to limit the exposure
• Coordination with the IT team and other relevant stakeholders to implement the containment procedure

Eradication

After containment, the next phase of action is to determine the root cause of the incident and eradicate it. The dictionary meaning of eradication is the complete destruction of something. To ensure this destruction (which does not reoccur), determining the root cause of an incident and addressing the same is of the utmost importance. Hence, the incident response team addresses the root cause during the eradication process. The following activities are carried out in the eradication phase:

• Determining the root cause of the incident.
• Addressing the root cause.
• Improving the defenses by implementing further controls.
• In the case of a virus infection, existing viruses are eradicated, and further antivirus systems are implemented to prevent reoccurrence.

Organizations should have a defined and structured method for root cause analysis. Ad hoc processes may lead to the situation shown in the following figure:

Figure 10.4 – Root cause analysis

The objective of root cause analysis is to eliminate the reason for reoccurring incidents.

Recovery

In this phase, an attempt is made to restore the system to the degree specified in the SDO or BCP. This phase should be completed as per the defined RTO. The following activities are carried out in the recovery phase:

• Restoring the systems, as defined in the SDO
• Testing the system in coordination with the system owner

Lessons learned

In this last phase, lessons learned are documented to determine what has happened, details of the actions that were initiated, what went wrong, what went right, and areas for further improvement. The report should be submitted to senior management and other stakeholders.

Gap analysis

Gap analysis is the most effective way to determine the gap between the current incident management capabilities and the desired level. Once gaps have been identified, the security manager can work to address the same and improve the incident management processes. The gap analysis report is used to determine the steps needed for improvement.

Business impact analysis

Business impact analysis is conducted to determine the business impact due to potential incidents. Business impact analysis is done for all identified potential incidents. The following are the key elements of a business impact analysis:

• Analyzing business loss due to processes or assets not being available
• Establishing escalation criteria for prolonged incidents
• Prioritizing processes or assets for recovery

The objective of the BIA is to understand what impact an incident could have on the business and what processes or assets are critical for the organization. Participation from the business process owner, senior management, IT, risk management, and end users is required for an effective BIA. However, end users might have a different perspective of the BIA, as indicated in the following figure:

Figure 10.5 – Business impact analysis

Identifying critical processes, systems, and other resources is one of the important aspects of the BIA.

Goals of the BIA

The following are some of the primary goals of the BIA:

• To identify and prioritize critical business unit processes. The impact of an incident must be evaluated. The higher the impact, the higher its priority should be.
• The BIA is also used to estimate the MTD or MTO for the business. This helps with designing the recovery strategy.
• It also determines the longest period of unavailability of critical systems, processes, or assets until the time the organization starts facing a financial crisis; that is, the AIW.
• The BIA helps to allocate resources as per the criticality of the processes.

Steps in the BIA

The following are the steps for conducting the BIA:

1. The initial step is to identify the critical processes and assets of the organization.
2. The second step is to identify the dependencies of these identified critical processes.
3. The third step is to determine possible disruptions that can impact the critical processes or their dependencies.
4. The fourth step is to develop a strategy to restore the processes and assets in case of disruption.
5. The last step is to document the assessment results and create a report for business process owners and senior management.

Escalation process

The incident response plan should contain a structured process of escalation for various categories of incidents. The objective of the escalation process is to highlight the issue to the appropriate authority as per the risk perceived and the expected impact of the incident. For example, minor issues should be escalated to the manager, major issues should be escalated to the senior manager, and so on. Risk and impact analysis will be the basis for determining what authority levels are needed to respond to particular incidents.

The escalation process should also state how long a team member should wait for an incident response and what to do if no such response occurs. For each type of possible incident, a list of actions should be documented. Roles and responsibilities should be defined for each such action.

The incident response plan should also contain the names of official(s) who are authorized to activate the BCP and DRP in case of major disruptions.

The security manager should determine the escalation process in coordination with business management and it should be approved by senior management.

Help desk/service desk process for identifying incidents

The help desk/service desk is most possibly the first team to receive information about the incident. The help desk team should be trained to determine the severity of the incident and escalate it to the appropriate team for further action. Detecting an incident early and quickly activating the incident response plan is the key to effective incident management.

The security manager should have a well-defined process for the help desk team to differentiate a typical incident from a possible security incident. Help desk executives should have the relevant skills, as depicted in the following figure:

Figure 10.6 – Help desk management

Frequent security awareness training for end users, as well as help desk staff, is one of the most important factors for identifying and reporting an incident early.

Incident management and response teams

The incident response plan should determine the staff requirements for handling the incident. Each team should have predefined assigned responsibilities for managing the incident. They should have relevant experience and should be trained appropriately as per their responsibilities. The team’s size may depend on the size and complexity of the organization. The defined roles and responsibilities of the incident response team increase the effectiveness of incident management. The following are some of the teams that are involved in handling incidents:

• Emergency action team: They are generally first responders that deal with incidents such as fire or other emergencies.
• Damage assessment team: They are qualified professionals who are capable of assessing the damage to infrastructure. They determine whether an asset is a complete loss or whether it can be restored.
• Emergency management team: They are responsible for making key decisions and coordinating the activities of other teams.
• Relocation team: They are responsible for smoothly relocating to an alternate site from an affected site.
• Security team: They are responsible for monitoring the security of information assets. They are required to limit the exposure of security incidents and resolve any security-related issues.

Incident notification process

Notifying the relevant stakeholders of the incident promptly is one of the key components of an effective incident management process. Having an effective notification process helps limit the potential loss and damage due to an incident.

Most detective systems have an automated notification process enabled that helps the concerned employee act immediately.

Challenges in developing an incident management plan

The security manager should also understand the challenges in developing the incident management plan:

• Lack of management support and organizational consensus: One of the key challenges for a security manager is to obtain support from senior management. Also, it is important to have a consensus with the business process owner on incident management processes.

  This can be best achieved by highlighting the benefits of incident management from the organization’s perspective.

• Incident management plan not aligned with the organization's goals: Incident management can only be effective if it supports the goals of the organization. However, business processes change significantly over time. The security manager should ensure that the incident management processes are kept aligned as per business requirements.
• Experienced and trained resources: The most important challenge is the availability of experienced and well-trained staff to handle incidents.
• Lack of communication process: Having an ineffective communication process is a major challenge as incomplete or untimely communication will cause obstacles in the incident handling process.
• Complex incident management plan: The security manager should keep the incident management plan simple and meaningful for all stakeholders. Also, the plan should be realistic and achievable.

Key aspects from the CISM exam’s perspective

The following are some of the key aspects from the exam’s perspective:

Practice questions

1. What is the relevance of slack space during an incident investigation?

   A. Slack space can be used to store hidden data.

   B. Slack space contains a password.

   C. Slack space is used to capture logs.

   D. Slack space contains investigation processes.

   Answer: A. Slack space can be used to store hidden data.

   Explanation: Slack space means the additional storage that is available on a computer’s hard disk drive. Slack space is created when a computer file does not need all the space that has been allocated by the operating system. Slack space can be used to store hidden data. Verifying the slack space is an important aspect of computer forensics.

2. The information security has manager noted a security breach. What should be their immediate course of action?

   A. To confirm the incident

   B. To evaluate the impact

   C. To notify stakeholders

   D. To isolate the incident

   Answer: A. To confirm the incident.

   Explanation: The next step should be to confirm the incident to rule out any false positives. A security manager needs to verify and validate the incident before any containment action is taken. Once the incident has been confirmed, the next step should be to isolate the incident. The other options are subsequent steps.

3. The security manager noted a new type of attack in the industry wherein a virus is disguised in the form of a picture file. What should their first course of action be?

   A. Delete all the picture files stored on the file server

   B. Block all emails containing picture file attachments

   C. Block all incoming emails containing attachments

   D. Quarantine all the mail servers connected to the internet

   Answer: B. Block all emails containing picture file attachments.

   Explanation: The first step should be to block all emails containing picture files until the time signature files are updated. Deleting all the picture files and quarantining mail servers is not necessary. Also, blocking all the incoming emails will hamper the business process.

4. Who should be notified immediately when a vulnerability is discovered in a web server?

   A. System owner

   B. Forensic investigators

   C. Data owner

   D. Development team

   Answer: A. System owner.

   Explanation: A vulnerability should be reported to the system owner to take appropriate corrective action. The system owner should, in turn, report to the data owner if the vulnerability is in a database arrangement. The system owner will coordinate with the development team for any development-related changes to address the vulnerability.

5. The security manager received a report about a customer database being breached by a hacker. What should be their first step?

   A. To confirm the incident

   B. To report to senior management

   C. To initiate containment

   D. To report to law authority

   Answer: A. To confirm the incident.

   Explanation: The first step should be to confirm the incident to rule out any false positives. A security manager needs to verify and validate the incident before any containment action is taken. Once the incident has been confirmed, the next step should be to contain the incident. The other options are subsequent steps.

6. Once the security incident has been confirmed, what should be the next task of the security manager?

   A. To determine the source of the incident

   B. To contain the incident

   C. To determine the impact of the incident

   D. To conduct the vulnerability assessment

   Answer: B. To contain the incident.

   Explanation: Once the incident has been confirmed, the next step should be to contain the incident. Containment means taking some action to prevent the expansion of the incident. Incident response procedures primarily focus on containing the incident and minimizing damage.

7. Which of the following is the most effective way to address the network-based security attacks that are generated internally?

   A. Implement two-factor authentication

   B. Implement static IP addresses

   C. Capture the log at a centralized location

   D. Install an intrusion detection system

   Answer: D. Install an intrusion detection system.

   Explanation: Installing an IDS will help the security manager identify the source of the attack. An IDS can be used to detect both internal as well as external attacks, depending on how it is placed. An IDS is used to monitor the network or systems for abnormal activities. IP addresses can be spoofed, and hence implementing a static IP may not be useful. If the attack is from an internal source, two-factor authentication may not be helpful. Capturing the log will only be meaningful if it is monitored through SIEM.

8. The security manager has noted a serious vulnerability in the installed firewall. What should be their next course of action?

   A. To update operating system patches

   B. To block incoming traffic until the time vulnerability is addressed

   C. To obtain guidance from the firewall manufacturer

   D. To conduct a penetration test

   Answer: B. To block incoming traffic until the time vulnerability is addressed.

   Explanation: The first course of action is to consult with the firewall manufacturer as they may have patches to address the vulnerability. They will also be in the position to suggest a workaround and compensating controls to address the issue. Blocking all incoming traffic may not be feasible as it will hamper the business processes. Updating OS patches and penetration tests will not help solve the vulnerability.

9. The security manager has noted that confidential human resource data is accessible to all the users of the human resource department. What should be their first step?

   A. Recommend that the confidential data be encrypted

   B. Disable access to confidential data for all users

   C. Discuss the situation with the data owner

   D. Provide security training to all HR personnel

   Answer: C. Discuss the situation with the data owner.

   Explanation: The first step should be to discuss the situation with the data owner and determine the requirement for data access on a need-to-know basis. Based on this discussion, access should be provided based on the relevant job function. Access for other users needs to be removed. Data encryption may not be feasible as the user may need to access data for further processing.

10. What is the most effective metric to justify the establishment of an incident management team?

    A. The business impact of past incidents

    B. Industry-wide monetary losses due to incidents

    C. Trends in improvement in security processes

    D. Possible business benefits from incident impact reduction

    Answer: D. Possible business benefits from incident impact reduction.

    Explanation: The best way to justify the establishment of an incident management team is to highlight the possible business benefit derived due to structured incident management processes. Trends of past incidents and industry losses may not directly impact future expected losses.

11. What is the most important factor for identifying security incidents early?

    A. A structured communication and reporting procedure

    B. Documented criteria for the incident’s severity level

    C. Having an IDS installed

    D. Security awareness training for end users

    Answer: D. Security awareness training for end users.

    Explanation: Frequent security awareness training for end users, as well as help desk staff, is one of the most important factors for identifying and reporting an incident early. The availability of a well-structured communication and reporting procedure is also an important aspect, though it is only useful when the staff can identify the incident. An IDS will not be able to identify non-IT-related incidents. Determining the severity level is a subsequent step and will be useful once the incident has been identified.

12. What is the main objective of the incident response plan?

    A. Prevent the incident from occurring

    B. Streamline business continuity processes

    C. Train users to deal with incidents

    D. Promote business resiliency

    Answer: D. Promote business resiliency.

    Explanation: Business resilience means the capability of the organization to sustain the disruption. The main objective of the incident response plan is to minimize the impact of an incident by developing resilient processes. The incident response plan is a means to reduce the impact of the incident but it cannot prevent the occurrence of the incident. Business continuity processes are addressed by the business continuity plan, not by the incident response plan.

13. An end user has noted a suspicious file on a computer. They report the same to the security manager. What should be the security manager’s first step?

    A. Isolate the file

    B. Report to senior management

    C. Verify whether the file is malicious

    D. Determine the source of the file

    Answer: C. Verify whether the file is malicious.

    Explanation: The first step should be to confirm whether the file is malicious to rule out any false positives. A security manager needs to verify and validate the incident before any containment action is taken. Once the incident has been confirmed, the next step should be to isolate the file. The other options are subsequent steps.

14. The members of the organization’s information security response team are determined by which of the following?

    A. Board of directors

    B. Operations department

    C. Risk management department

    D. Information security department

    Answer: D. Information security department.

    Explanation: Generally, information security responses are handled by the information security manager and they should ensure that the team members consist of individuals that have the requisite knowledge and experience to handle the incidents.

15. The security manager received an alert from an IDS about a possible attack. What should be the security manager’s first step?

    A. Determine the severity of the attack.

    B. Determine whether it is an actual incident.

    C. Isolate the affected machines.

    D. Activate the incident response plan.

    Answer: B. Determine whether it is an actual incident.

    Explanation: The first step should be to confirm the incident to rule out any false positives. A security manager needs to verify and validate the incident before any containment action is taken. Once the incident has been confirmed, the next step should be to isolate the file. The other options are subsequent steps.

16. After confirming the security breach related to customer data, the security manager should notify who first?

    A. Board of directors

    B. Affected customers

    C. Data owner

    D. Regulatory authority

    Answer: C. Data owner.

    Explanation: The data owner should be notified of who will be in the best position to determine the impact of the security breach. The data owner needs to coordinate another course of action with the computer incident response team. The other options are to be notified later, as required by the incident management policy.

17. The efficiency of the incident response team can be best improved by which of the following?

    A. Defined security policy

    B. Defined roles and responsibilities

    C. A structured communication channel

    D. Forensic skills

    Answer: B. Defined roles and responsibilities.

    Explanation: The defined roles and responsibilities of the incident response team increase the effectiveness of incident management. Each team should have predefined assigned responsibilities for managing the incident. They should have relevant experience and should be trained as per their responsibilities. The other options are important but the most significant aspect is defined roles and responsibilities.

18. What is the main objective of the senior manager reviewing the security incident’s status and procedures?

    A. To ensure that adequate corrective actions are implemented

    B. To comply with the security policy

    C. To determine the capability of the security team

    D. To demonstrate management commitment to security

    Answer: A. To ensure that adequate corrective actions are implemented.

    Explanation: The main objective is to ensure that incidents are closed by taking appropriate corrective action as per business requirements. A review by management will help align the security policy with the business objectives. The other options are not the objective of management review.

19. The response team noted that the investigation of an incident cannot be completed as per the timeframe. What should be their next action?

    A. Continue to work until the investigation is complete

    B. Escalate to the next level for resolution

    C. Ignore the current investigation and take up a new incident

    D. Change the incident response policy to increase the timeline

    Answer: B. Escalate to the next level for resolution.

    Explanation: The incident response policy and procedure will have defined escalation and timelines for each activity. If the activity is not completed within the defined timeline, then it should be escalated to the next level.

20. Which of the following is the most important factor for identifying a security incident promptly?

    A. Install an intrusion detection system.

    B. Perform frequent audits.

    C. A well-defined and structured communication plan.

    D. Frequently reviewing network traffic logs.

    Answer: C. A well-defined and structured communication plan.

    Explanation: Two of the most important aspects when it comes to identifying incidents promptly are frequent security awareness training for end users and a well-defined communication plan. A well-defined and structured communication plan facilitates the information flows from the end user to the senior management in a time-bound manner so that incidents can be recognized, declared, and appropriately addressed. An IDS will not able to address non-technical incidents. An audit is generally detective in nature and may not be able to identify the incident promptly. Reviewing the network logs will help address only network-related incidents.

21. The incident escalation process should primarily state what?

    A. Timelines for response and what do to if no response occurs

    B. How to define the criticality of the incident

    C. How to communicate with the senior manager and other stakeholders

    D. How to calculate the impact of the incident

    Answer: A. Timelines for response and what do to if no response occurs.

    Explanation: The objective of the incident escalation process is to state how long a team member should wait for an incident response and what to do if no such response occurs. Defined timeframes are important steps of an effective escalation process. The communication process can also be part of the escalation process, but the most significant aspect is its timeframe. Determining severity and impact are not part of the escalation process.

22. By using the triage phase of the incident response plan, a security manager can determine what?

    A. The dashboard’s current status of all the incidents reported

    B. The turnover time for the closure of each incident

    C. The appropriateness of the post-incident review procedure

    D. A strategic review of the incident’s resolution

    Answer: The dashboard’s current status of all the incidents reported.

    Explanation: Triage means to decide the order of treatment based on its urgency. It is very important to prioritize the impact based on its possible effect. Triage provides a snapshot of the current status of all the incidents that are reported to assign resources as per their criticality. Triage does not focus on already resolved incidents and does not determine the appropriateness of the post-incident review procedure. Triage provides a view of both the tactical and strategic levels.

23. Escalation guidelines are mostly derived from which of the following?

    A. Management discretion

    B. Risk and impact analysis

    C. Audit reports

    D. The capability of the resource

    Answer: B. Risk and impact analysis.

    Explanation: The objective of the escalation process is to highlight the issue to the relevant authority, as per the risk perceived and the expected impact of the incident. This includes minor issues to be escalated to the manager, major issues to be escalated to the senior manager, and so on. A risk and impact analysis will be a basis for determining what authority levels are needed to respond to particular incidents.

24. The incident management program is considered most effective when what happens?

    A. It detects, assesses, and prevents the reoccurrence of the incidents.

    B. It follows the documentation of all the incidents.

    C. It has sufficient resources to deal with the incident.

    D. It provides a dashboard for management.

    Answer: A. It detects, assesses, and prevents the reoccurrence of the incidents.

    Explanation: The objective of the incident management program is to detect and contain the incident and also implement controls to prevent future occurrences. The other options are secondary aspects.

25. What is the best metric to determine the readiness of the incident response team?

    A. Time required to detect the incident

    B. Time between detection and reporting to management

    C. Time between detection and response

    D. Time between detection and documentation

    Answer: C. Time between detection and response.

    Explanation: The readiness of the response team can be best determined by the time between the detection of the incident and the response provided. The time required to detect the incident determines the control’s effectiveness. The response is more relevant compared to the documentation and reporting to senior management.

26. What area is of most concern for establishing an effective incident management program?

    A. The incident reporting to senior management is not structured.

    B. The details of the key process owner are not defined in the security policy.

    C. Not all the incidents are managed by the IT team.

    D. The escalation process is inadequately defined.

    Answer: D. The escalation process is inadequately defined.

    Explanation: In the absence of a structured escalation process, there can be a substantial delay in handling the incident. This can have a huge adverse impact on business processes. The IT team is only required to manage incidents related to IT processes. The security policy is a high-level statement and you do not need to include details of the key process owner. Unstructured reporting is not a major concern compared to an inadequate escalation process.

27. The security manager has noted that if a server fails for 3 days, it could cost the organization $100,000; that is, two times more than if it could be recovered in 1 day. This calculation is arrived at from which of the following?

    A. Incident management planning

    B. Business impact analysis

    C. Business continuity planning

    D. Alternate site planning

    Answer: B. Business impact analysis.

    Explanation: A BIA is conducted to determine the business impact due to potential incidents. The following are the key elements of a BIA:

    - Analyzing business losses due to processes or assets not being available

    - Establishing escalation criteria for prolonged incidents

    - Prioritizing processes or assets for recovery

    The other options do not directly consider the impact of the incident.

28. What is the most effective way of training the members of a newly established incident management team?

    A. Formal training

    B. Virtual training

    C. On the job training

    D. Mentoring

    Answer: A. Formal training.

    Explanation: As all the team members are new, it is advisable to conduct formal training. Formal training involves a structured way of learning, starting from basic concepts to advanced-level learning. This helps everyone, even if they are from different backgrounds. On-the-job training and mentoring will be more relevant when the team is already established and they have some senior and experienced members.

29. What is the best way to determine the effectiveness of the incident response team?

    A. The percentage of incidents resolved within the defined time frame

    B. The number of employees in the incident response team

    C. The percentage of open incidents at the end of the month

    D. The number of incidents arising from internal sources

    Answer: A. The percentage of incidents resolved within the defined time frame.

    Explanation: The effectiveness of the incident response team is best determined by the closure of incidents within the defined time frame. A timely resolution will help minimize the impact of the incident. The other options, by themselves, do not provide any indication of effectiveness.

30. In which of the following processes does the incident response team address the root cause?

    A. Eradication

    B. Containment

    C. Reporting

    D. Recovery

    Answer: A. Eradication.

    Explanation: The dictionary meaning of eradication is “the complete destruction of something.” To ensure such destruction (which does not reoccur), determining the root cause of an incident and addressing the same is of the utmost importance. Hence, the incident response team addresses the root cause during the eradication process.

Summary

In this chapter, we provided an overview of incident management. This chapter will help CISM candidates determine and document incident response procedures for effective incident management. This chapter will also help CISM candidates design incident management metrics and indicators. We also discussed how CISM candidates can determine the current state of an organization’s incident response capability.

In the next chapter, we will discuss the practical aspects of information security incident management.