© 2003 ISACA Chapter 5 ResponseManagement 2003 CISM™ Review Course

© 2003 ISACA

Chapter 5Chapter 5ResponseResponseManagementManagement

2003 CISM™ Review 2003 CISM™ Review CourseCourse

© 2003 ISACAChapter 5 - page 22003 CISM Review Course

Chapter OverviewChapter Overview

This Area is comprised ofThis Area is comprised of

6 Task Statements6 Task Statements&&

10 Knowledge Statements10 Knowledge Statements


Chapter ObjectiveChapter Objective

Ensure that the CISM knows how to…Ensure that the CISM knows how to…

““DDevelop policies and procedures that evelop policies and procedures that will enable an organization to respond will enable an organization to respond

to and recover from disruptive and to and recover from disruptive and destructive information security destructive information security

eventsevents””


Chapter SummaryChapter Summary

According to the CISM Certification According to the CISM Certification

Board, this area will represent Board, this area will represent

approximately 13% of the CISM approximately 13% of the CISM

examination examination (approximately 26 questions)(approximately 26 questions)


Task 1Task 1Develop and implement processes for detecting,

identifying and analyzing security-related events• The information security manager should:

• employ a number of different mechanisms to detect security-related events such as monitoring incident reporting websites, monitoring the news organizations, monitoring user organizations and monitoring the hardware and software vendors

• consider various vendor services that provide notifications of security-related events to organizations The manager can implement automated detection services, such as in-house or managed intrusion detection services, to monitor attempts to access the organization’s information resources

• perform detecting and monitoring procedures on a regular basis

• analyze security events and assess their impact upon the organization’s information resources and modify the security program as necessary


Task 2Task 2

Develop response and recovery plans including organizing, training and equipping the teams• The information security manager should:

• use a risk assessment to identify those resources that are most important to the organization

• identify resources required to continue the business, should a business interruption occur

• develop and investigate response and recovery strategies• gain senior management approval• oversee the development of comprehensive response and recovery

plans• assign team members

• The information security manager should develop event scenarios and test the response and recovery plans to ensure that the team participants are familiar with their responsibilities


Task 3Task 3Ensure periodic testing of the response and

recovery plans where appropriate• The information security manager should implement periodic testing of

the response and recovery plans. The testing should include:• Developing test objectives• Evaluating the test• Developing recommendations to improve the response and recovery plans• Implementing a follow-up process to ensure that the recommendations are

implemented• Response and recovery plans that have not been tested present the

organization with a risk that the plans may not work• Once the test objectives have been defined, the information security

manager should ensure that an independent third party is present to monitor and evaluate the test

• The information security manager also should implement a tracking process to ensure that the recommendations are implemented in a timely fashion


Task 4Task 4

Ensure the execution of response and recovery plans as required• A facilitator or director is needed to direct the tasks within

the plans, oversee their execution, liaison with senior management and make decisions as necessary

• The information security manager may or may not be the person to act as the recovery plan director or coordinator, but should assure the role is assigned to someone who can perform this important function

• Important in the overall process is defining appropriate recovery strategies and alternatives


Task 4 (cont)Task 4 (cont)

• Testing of the plans also helps ensure that the plans can be executed as required. By testing the plans in a scenario, recovery personnel become more familiar with the tasks and their responsibilities within the plan

• The information security manager also can appoint an observer who will record the progress and document any exceptions that occur during an actual execution of the plan

• Then, through a post-event review, the information security manager and key recovery personnel can review the observations and make adjustments to the plan accordingly

• Finally, since organizations constantly evolve and change, the information security manager must establish a process in which recovery plans are updated


Task 5Task 5

Establish procedures for documenting an event as a basis for subsequent action including forensics when necessary• For when an incident may occur:

• the information security staff needs to have documented procedures so that the information can be recorded and the data preserved.

• the information security manager should develop data preservation procedures with the advice and assistance of legal counsel, the organization’s managers and knowledgeable law enforcement officials

• there are a few basic actions the information systems staff must understand including taking no actions that could change/modify/contaminate potential or actual evidence


Task 5 (cont)Task 5 (cont)

• Initial response by the system administrator includes:• Retrieving information to confirm incident• Identifying the scope and size of the affected environment

(networks, machines / systems, applications) • Determining the loss, modifications or damage (if any)• Identifying the possible path or means of attack• Backing up all possible sources of evidence or relevant

information


Task 6Task 6

Manage post-event reviews to identify causes and corrective actions

• The information security manager should manage post-event reviews to learn from the completed tasks and to use the information to improve the organization’s response procedures

• The information security manager may perform these reviews with the help of third-party specialists should detailed forensic skills be needed

• The security event may not always involve an outside attack, or even an internal attack, but also can be the result of a failure in the security controls implemented within the security program

• An event review team should be established• This team would be able to review the evidence and develop

recommendations to enhance the security program


Knowledge Statement 1Knowledge Statement 1Knowledge of the components of an

incident response capability• An effective incident response capability not only

reacts to incident events but, if defined and managed properly, can be used as a proactive control

• By dealing with the incident in a timely and effective manner and assessing the results, recommended changes may be made to improve the organization’s security program


Knowledge Statement 1(cont)Knowledge Statement 1(cont)• Incident response may vary in approach depending on the situation, but

the goals are constant. These goals can include: • Recovering quickly and efficiently from security incidents • Minimizing impact of the security incident • Responding systematically and decreasing the likelihood of

reoccurrence • Balancing operational and security • Dealing with legal issues

• The information security manager also needs to define what constitutes an incident. Typically, incidents include:• Malicious code attacks• Unauthorized access• Unauthorized utilization of services• Denial/disruption of service• Misuse• Espionage• Hoaxes/social engineering


Knowledge Statement 2Knowledge Statement 2Knowledge of information security emergency

management practices (e.g., production change control activities, development of computer emergency response team)• The information security manager should:

• understand the various activities involved in an information security emergency management program

• meet with emergency management officials (federal, state/provincial, municipal/local) to understand what governmental capabilities exist

• Emergency management activities typically focus around the activities immediately after an event

• Emergency management activities typically include measures to assure the safety of personnel such as evacuation plans and creation of a command center from which emergency procedures can be executed

• It also is important that information about an incident only be communicated on a need-to-know basis


Knowledge Statement 3Knowledge Statement 3Knowledge of disaster recovery planning and business

recovery processes• The information security manager should understand the processes of

disaster recovery and business recovery planning as information resources are affected by a business interruption event

• Disaster recovery traditionally has been defined as the recovery of information technology systems

• Business recovery is defined as the recovery of the critical business processes necessary to achieve the key business processes. Business recovery includes disaster recovery but has broader coverage as the organization’s business processes and resources must be included.• Each of these planning processes typically include several main phases

including:– Risk assessment and business impact assessment– Recovery strategy definition– Documentation of recovery plans– Testing of recovery plans


Knowledge Statement 3 Knowledge Statement 3 (cont)(cont)

• Since organizations are dynamic and subject to constant changes, the recovery process must assure that plans are updated continuously and adapted to ensure they reflect the current objectives and conditions of the organization

• Senior management approval of the recovery strategy is an important step

• The information security manager will define the procedures to determine the recovery time objective of the various business processes and work to develop recovery strategies that meet that business need



• The information security manager also needs to be concerned with helping the organization define the recovery point objective (RPO)• The RPO describes the age of the data that the organization needs to

have the ability to restore in the event of a disaster. The information security manager will need to balance meeting the business recovery needs against the cost of the recovery capability

• The information security manager also needs to ensure that information security is incorporated in any recovery strategy that is implemented to ensure that the information resources are protected even in the event of a business interruption


Knowledge Statement 4Knowledge Statement 4Knowledge of disaster recovery testing for

infrastructure and critical business applications• Testing of the recovery plans needs to include infrastructure

and critical applications• The information security manager should secure these

systems during a disaster event• Based on the risk assessment and business impact

information, the information security manager will identify critical applications the organization requires and the infrastructure needed to support them

• To ensure that these will be recovered in a timely fashion, the information security manager needs to perform recovery tests



• Generally the information security manager performs tests that will progressively challenge the recovery plans. Examples include:• “Table top” walk-throughs of the plans• “Table top” walk-throughs with mock disaster

scenarios• Testing of the infrastructure and communication

components of the recovery plan• Testing of the infrastructure and recovery of the

critical applications• Testing of the infrastructure, critical applications and

involvement of the end-users• Surprise tests


Knowledge Statement 4 (cont)Knowledge Statement 4 (cont)

• This testing process enables the information security manager to gain momentum and achieve initial successes and modify the plan based on information gained from the initial tests

• Performing a robust test costs resources and requires the coordination of various departments. A minor error or mishap (e.g., a missing set of backup media) could make completing the full test impossible

• In case the normal business operations are destroyed or inaccessible, the manager needs to have alternative operating strategies based on the recovery strategy

• The information security manager also should report to senior management on the recovery capability of the organization


Knowledge Statement 5Knowledge Statement 5

Knowledge of escalation process for effective security management• The information security manager should implement an escalation

process for effective security management• A detailed description of the escalation process should be documented.• The escalation process should include the prioritizing of event

information and the decision process for determining when to alert various groups, including senior management, the public, shareholders and stakeholders, legal counsel, human resources, vendors and customers

• An escalation process also is important if the organization utilizes vendor security services. An escalation process should be agreed to with the vendors so that appropriate notification/information sharing takes place during and after an event

• The information security manager also should have a mechanism to communicate crisis or event information


Knowledge Statement 6Knowledge Statement 6Knowledge of intrusion detection policies and

processes• The information security manager should understand the intrusion

detection policies and procedures including some basic requirements such as:• Requiring that the system is fault tolerant and is itself suitably secure

against attack• Requiring that it runs continuously• Requiring that it is easily modified and can adapt to changes• Requiring that it does not impose excessive overhead• Requiring that it detects anomalies

• A company should use an intrusion detection system that combines both host and network-based sensors suitably placed to provide adequate coverage of the network typology

• Most systems can be set up to contact the security staff in the event suspicious activity is detected



• Intrusion detection policies and procedures should include:• Identifying the vulnerability used by the perpetrator• Recording logs and making a backup of systems impacted• Identifying motivation for attack• Determining if other systems were compromised• Determining if any viruses were left behind or if any programs were

left behind for future use • Documenting the steps taken to follow up on unusual activity• Assigning responsibilities for various aspects of the intrusion

detection process

• The information security manager should define the goals, objectives and priorities for the intrusion detection systems and assess the alternative that will best fulfill these requirements



• The information security manager should understand the complete costs of implementing such a security control, as resources will need to be assigned to implement, monitor and respond to the alarms generated by these tools

• The information security manager should determine the appropriate mix between externally managed security services providers to manage the organizations intrusion detection systems and internal staff to achieve timely and knowledgeable reaction to malicious activity


Knowledge Statement 7Knowledge Statement 7Knowledge of help desk processes for

identifying security incidents reported by users and distinguishing them from other issues dealt with by the help desks

• The information security manager should have processes defined for help desk personnel to identify a typical help desk request from a possible security incident

• In addition to identifying the possible security incident, the help desk personnel should be aware of the procedures to report and escalate the issue


Knowledge Statement 8Knowledge Statement 8Knowledge of the notification process in

managing security incidents and recovery: (for example, automated notice and recovery mechanisms for example in response to virus alerts in a real-time fashion)• The information security manager should understand that

having an effective and timely security incident notification process is a critical component of an effective security program

• Mechanisms exist that enable an automated detection system or monitor to send e-mail or phone messages to designated personnel



• These notification activities are only effective if knowledgeable personnel understand their responsibilities and react to them

• The information security manager therefore needs to define the responsibilities and communicate them to key personnel


Knowledge Statement 9Knowledge Statement 9Knowledge of the requirements for collecting

and presenting evidence; rules for evidence, admissibility of evidence, quality and completeness of evidence• The information security manager should understand that

any contamination of evidence following an intrusion could severely inhibit the organization’s ability to prosecute the perpetrator

• In addition, the modification of data can inhibit the computer forensic activity necessary to identify the perpetrator and assess what was damaged

• By inhibiting these activities, the organization may not be able to identify how the intrusion was completed and how the security program should be changed and enhanced to eliminate the risk of a similar intrusion in the future


Knowledge Statement 10Knowledge Statement 10Knowledge of post-incident reviews and follow-up

procedures

• Understanding the purpose and structure of post-incident reviews and follow-up procedures will enable the information security manager to continuously improve the security program

• A consistent methodology should be adopted within the security organization so that when a problem is found, an action plan is developed to reduce/mitigate the vulnerability

• A consistent process will limit the amount of time personnel are reacting to security incidents so they are able to spend more time on proactive activities


Chapter 5: GlossaryChapter 5: Glossary

• Business impact analysis (BIA)• Disaster recovery plan walkthrough• Forensic examination• Mirrored site• Passive response• Threat analysis


Sample QuestionSample Question

The FIRST step in beginning a business continuity process should be to:A. identify alternative processing sites.B. determine suitable insurance.C. establish the business objectives of

information processing facilities.D. perform a business impact analysis.


Chapter 5: RecapChapter 5: Recap

• Group discussion Group discussion

• QuestionsQuestions

Documents

© 2003 ISACA Chapter 5 ResponseManagement 2003 CISM™ Review Course