Professional Documents
Culture Documents
CISM Quick Review Guide - Stephen J. Bigelow
CISM Quick Review Guide - Stephen J. Bigelow
CISM Quick Review Guide - Stephen J. Bigelow
Security Manager®
Quick Review Guide
Peter H. Gregory
CISM, CISA, CRISC, CIPM,
CISSP, CCSK, CCISO, PCI-QSA
CISM® Certified Information Security Manager® Quick Review Guide
Table of Contents
Welcome to the CISM Certified Information Security Manager Certification Quick Review Guide! This
guide is an excellent resource to help you study for the CISM certification exam, and after you earn
your CISM certification, it will continue to serve you as a handy desk reference. It summarizes all of
the important points you need to know to pass the exam and function as an effective security
manager. I recommend that you pick up a copy of CISM Certified Information Security Manager All-In-
One Exam Guide (be sure to choose most recent edition), which contains all of the details behind the
summaries in CISM Certified Information Security Manager Practice Exams. Best of luck on your CISM
exam, and welcome to the world of information security management!
Chapter 1:
Information Security Governance
This topic is all about the practices related to the framework and supporting processes that ensure
that an organization’s information security strategy is aligned with organizational goals and
objectives. I can’t stress enough that one of the most important success factors for any organization’s
information security program is the need for business alignment. In most organizations, business
alignment is achieved through periodic involvement of business leaders in the organization’s
information security program.
Governance Activities
a Governance is a process whereby senior management exerts strategic control over business
functions through policies, objectives, delegation of authority, and monitoring. Often this is
achieved via a steering committee that participates in strategic information security–related
discussions and decisions.
a For information security governance to be successful, an organization’s IT governance
function must also be present and effective in ensuring that IT processes, systems, and staff
support key organization business processes.
label that provides some clues for others on the types of activities a person in a role will
perform. Responsibilities are specific activities that are assigned to a person in a role.
a Roles and responsibilities are sometimes documented in a RACI (Responsible, Accountable,
Consulted, Informed) chart that illustrates which persons have what types of responsibilities
within business processes. For instance, in an access request process, there will be people
who perform various activities in the process; a RACI chart is a matrix that designates
whether each person is Responsible, Accountable, Consulted, or Informed, or serves no role,
within each business process.
a Although the details vary from organization to organization, it is important for a security
manager to understand the nature of roles and responsibilities of various groups and
individuals in an organization, including the board of directors, chief information security
officer, chief privacy officer, other executives, and other personnel. A security manager must
be especially aware of roles and responsibilities of all personnel within the IT organization,
but also many roles outside of IT, especially legal, human resources, finance, and the various
business lines that may develop and deliver goods and services to customers or constituents.
supposed to work. Often, changes to information systems are required, as well as the
acquisition of new systems and the replacement of old systems.
a Before a security manager is permitted to execute a strategy, often he or she will be required
to build a business case that will be presented to senior management. Typically, a business
case contains a problem statement, descriptions of current and desired states, success
criteria, requirements, approach, and a high-level plan. To be successful, the business case
must be relevant and result in the delivery of value to the organization.
a Management commitment is necessary for the success of a security strategy, as well as for
the ongoing effectiveness of a security program. A security manager must be familiar with
the organization and be a skilled communicator in order to obtain management
commitment.
a Effective communications and reporting are a critical part of a successful and relevant
security program. This includes board of directors meetings, governance and steering
committee meetings, security awareness, security advisories, security incidents, and metrics.
A Final Tip
a Success is never guaranteed. A security manager must be mindful of the factors that present
challenges to the success of a strategy, as well as ongoing operations. These factors include
organizational culture, staff capabilities, budgets, legal and regulatory obligations,
organizational inertia, and the usual human resistance to change.
Chapter 2:
Information Risk Management
Information risk management is the practice of balancing business opportunity with potential
information security–related losses. Information risk management is largely a qualitative effort, since
it is difficult to know the probability and costs of significant loss events. Still, several methods for
measuring risk have been established that help organizations better understand risks and how they
can be handled. These methods include both qualitative and quantitative techniques that are used to
contribute to business decisions.
for Applying the Risk Management Framework to Federal Information Systems: A Security
Life Cycle Approach”), NIST SP 800-39 (“Managing Information Security Risk”), COBIT 5,
RIMS Risk Maturity Model, and FRAP (Facilitate Risk Assessment process).
a Risk management frameworks have several elements in common. Mainly, they include risk
objectives and risk policy, statements of risk appetite/tolerance, roles and responsibilities, a
risk management life cycle process, documentation and business records, and management
review (which may include metrics and KRIs).
be confronted with a risk that it does not properly process because of constraints in policies
or procedures.
a Risk analysis is the next step in the risk management life cycle, where a risk manager begins
to determine probability of event occurrence; impact of event occurrence; various means for
mitigating, transferring, accepting, or avoiding a risk; as well as a recommendation. This is
generally written up in a report for an information security steering committee or other
decision-making body.
a After analysis, a new risk will be entered into a risk register or risk ledger, a business record
where newly identified risks are recorded.
a The information security steering committee will discuss and deliberate the new risk and
usually make a risk treatment decision. For difficult risks, there may be some additional
discovery or negotiation before a formal, final decision can be made. Often this is because
risk treatment may be expensive or may impact the business model in some way.
Threat Identification
a Threat identification is a key activity in a risk assessment.
a A threat is defined as an event that, if realized, would bring harm to an asset and, thus, to the
organization. A threat is not a weakness in a system—that is a vulnerability.
a Because many organizations outsource parts of their IT function, it is prudent for
organizations to identify threats to those third-party service providers.
a Threats are typically classified as external or internal, as intentional or unintentional, and as
manmade or natural.
a A risk assessment should contain a reasonably complete list of relevant threats. Good
sources for threats are found in ISO/IEC 27005 as well as NIST SP800-30.
Vulnerability Identification
a Vulnerability identification is a key activity in a risk assessment.
a A vulnerability is any weakness in a system that permits an attack to compromise a target
system successfully. A vulnerability is not an attack or technique—that is a threat.
a Because so many organizations outsource many aspects of their IT function, it is necessary
for an organization to be able to identify vulnerabilities in third-party service providers.
Risk Identification
a Once the values of specific assets are known, together with vulnerabilities and relevant
threats, risks can be identified.
a Risk is generally calculated by one of these formulas:
a Risk analysts gather information by interviewing business and security personnel, examining
business records, and examining any analysis of incidents or prior risk assessments that may
have occurred.
a Qualitative risk analysis is most common: probabilities of occurrence, impact of occurrence,
and asset valuation are expressed as Low, Medium, or High. Qualitative risk analysis helps
security managers distinguish higher risks from lower risks without having to perform a lot
of financial calculations.
a Semiquantitative risk analysis resembles qualitative risk analysis. In semiquantitative risk
analysis, scores for probability, impact, and value are expressed in numerical ranges such as
1–3, 1–5, or 1–10.
a Quantitative risk analysis deals in more specific monetary values and event probabilities than
do qualitative and semiquantitative risk analyses. Risk analysts who perform quantitative
risk analysis often begin with semiqualitative risk analysis and then plug in more precise
values where they are known.
a Several risks analysis techniques are available, including OCTAVE (Operationally Critical
Threat Asset and Vulnerability Evaluation), Delphi, event tree analysis (ETA), fault tree
analysis (FTA), and Monte Carlo analysis.
a It is important to assign a risk to a risk owner. A risk owner is typically a middle- to upper-
management leader who controls the business activities that are the subject of the risk
analysis. A risk owner will have a say in the risk treatment decision process.
Risk Treatment
a Risk treatment is the decision that is made about a risk that has been identified and analyzed.
The four possible risk treatment decisions are accept, mitigate, transfer, and avoid.
a There is almost always some leftover risk, known as residual risk, with any of these options.
In some cases, residual risk is large enough to warrant its own risk analysis to determine
whether additional risk treatment decisions can be made to bring residual risk down to
acceptable levels.
a Organizations generally will develop a scheme whereby higher officials in an organization
are required to approve risk treatment decisions for matters of high risk.
a Risk acceptance decisions should not be perpetual; instead, they should expire so that
management can re-evaluate them. This is prudent because many aspects of the risk can
change, including the nature of threats, protective and detective controls, and asset value.
threats, and the risk treatment process facilitates decision-making. Recovery targets define
pragmatic limits and help define remediation and recovery plans.
a A risk register generally contains items of strategic risk, whether associated with business
processes, information technology, the organization’s workers, and third-party service
providers.
a A risk register is usually not used to record matters of tactical risk, such as individual system
vulnerabilities or weaknesses.
a A risk register is also not used to record security incident. However, the identification of a
security incident may well trigger the creation of one or more risk register entries that may
represent weaknesses in the organization’s ability to prevent, detect, or respond to incidents.
a Entries for the risk register may come from many sources, such as risk assessments,
vulnerability assessments, internal audits, security incidents, threat intelligence, industry
developments, new laws and regulations, and outside experts including consultants.
Risk Documentation
a An organization’s risk management program needs to be documented to ensure that risk
management operations are consistently performed. This includes policy and procedure
documents, business records, roles and responsibilities, and records of communications.
Chapter 3:
Information Security Program
Development and Management
Security program development represents a wide assortment of activities in an organization. Most of
these activities have a direct impact on personnel, business processes, or information technology.
Often, security programs are focused on linking many disparate activities in an organization that are
all, one way or another, associated with the protection of valuable information assets. Another way
of thinking of security program management is that the security manager (and team, if any) acts as a
catalyst to ensure that activities throughout the organization are carried out in a way that does not
produce unacceptable risk.
to consider new business ventures while being fully aware of associated risks that can be
managed and treated.
a The outcomes that should be a part of an organization’s security program should include
strategic alignment, risk management, value delivery, resource management, performance
management, and integration of security into several business processes.
a Many organizations define and empower a security program through a charter, a document
that describes the objectives of the security program, its scope, its main timelines, the
sources of funding, the names of its principal leaders and managers, and the business
executives who are sponsoring the program.
a Many organizations will build their security programs with a standard framework as its
foundation. Such frameworks include ISO/IEC 27001:2013, COBIT 5, and NIST CSF. Be
careful not to confuse a program framework with control frameworks!
a Many organizations develop an information security architecture, which is both a business
function as well as a technical model. As a business function, security architecture is a set of
activities that ensures that the organization designs and implements technology in the right
way. As a technical model, security architecture is the specifications and schematic diagrams
that the organization uses to implement technology consistently.
a Architecture frameworks in use today include TOGAF (The Open Group Architecture
Framework) and Zachman. Each is used to join business concepts with information
technology.
Risk Management
a The purpose of risk management is to identify risks and enact changes to bring risks to
acceptable levels. Risk management is a life-cycle activity that has no beginning and no end.
It’s a continuous and phased set of activities that includes the examination of processes,
records, systems, and external phenomena in order to identify risks.
a An organization building a risk management program needs to define the program’s objectives,
scope, authority, roles and responsibilities, resources, and documentation that includes
policies, procedures, and records.
a The risk management process consists of the identification of assets, risk analysis to
understand specific threats and vulnerabilities associated with specific assets, threat analysis
to understand likely threats that require attention and to understand the probability of likely
threats, identification of vulnerabilities, and an understanding of the impact of threat
realization. Optionally, quantitative risk analysis may attempt to arrive at costs of threats
with probabilities factored in. Risk analysis continues with the development of one or more
risk treatment and mitigation options that provide management with an array of choices on
managing specific risks.
a Risk treatment is the action that management decides to take with any given risk. The four
risk treatment options are accept, mitigate, transfer, and avoid. Organizations maintain
business records that include risk treatment decisions and who made them. Traditionally,
there are four risk treatment options, but a fifth option is ignore the risk. In this case, an
organization refuses to identify and understand the risk. By default, this means that the
organization is accepting the risk, since it is taking no other risk treatment action.
Audits
a Organizations perform audits and reviews to help them understand the effectiveness of
policies, processes, and controls. A review is less formal, and an audit is more formal and
generally performed using a set of audit rules.
a There are several types of audits, including an operational audit, a financial audit, an integrated
audit, an IS audit, an administrative audit, a compliance audit, a forensic audit, and a service
provider audit. An audit is generally managed as a project, complete with a plan, scope,
objectives, participants, records, and a formal report. Audit evidence is usually archived for a
number of years.
a Organizations may perform a control self-assessment (CSA), alone or as a part of an audit or
other assurance program. In a CSA, control owners follow specific instructions, which
usually include answering a questionnaire about the business process or control and
submitting specific artifacts as evidence. Auditors can sometimes use information from
control self-assessments to augment their audit activities.
Policy Development
a Security managers frequently need to develop or update security policy as a part of the
development of a security program. Security policy is a set of statements that defines
expected behavior from workers in an organization, including the use of information
systems.
a When developing information security policy, security managers need to consider applicable
laws, regulations, standards, and other legal obligations, as well as the organization’s risk
tolerance, its controls, and organizational culture.
a It is often helpful to align security policy with the security controls and any controls
framework that may be in place.
a Security policy must be available to all workers in an organization. Many organizations
require workers to acknowledge in writing that they will comply with security policy as well
as other policy.
a Identifying all of the third parties providing services to an organization is itself a daunting
task. Stakeholders involved with third parties can include legal, procurement, accounts
payable, IT, IT security, facilities, department heads, and business unit leaders.
a The entire population of service providers should reside in a central location. Tiers of risk
should be established so that organizations can identify the highest risk service providers.
This, in turn, is used to match varying levels of assessment rigor to service providers at each
level of risk. Service providers at the highest level of risk should be assessed at the highest
level of rigor, including lengthier questionnaires, audit reports, site visits in some cases, and
more frequent reassessments. Lowest risk service providers are generally assessed just at the
time of onboarding, with shorter questionnaires.
a Organizations need to determine what criteria is used to place a service provider in an
appropriate risk tier.
a Engagement with a service provider is appropriate when significant risks are identified.
Attempts may be made to compel the service provider to alter its controls, but this is not
always successful. Often, the organization needs to see whether it can perform mitigation
on its own through a compensating control, or whether it must just accept the risk. Risk
avoidance amounts to the organization ceasing to use the service provider, but this is rarely
utilized because of business impact.
Administrative Activities
a Administrative work must be performed by the security manager and the rest of the security
team.
a A security program can be successful only to the extent that the security manager has
developed key partnerships throughout the organization. Parties with whom key
partnerships are important include legal, human resources, facilities, information
technology, product/service development, procurement, finance, and business unit leaders.
a Security managers need to develop a number of external partnerships with parties including
law enforcement, regulators, auditors, standards organizations, security vendors, and
professional organizations.
a Security managers in many organizations are involved with compliance-related activities to
ensure that the organization is achieving and remaining compliant with applicable laws,
regulations, and standards. Security managers are quick to point out that compliance with a
security-related law, regulation, or standard is not the same thing as being secure.
a In all but the smallest organizations with one (or no) security personnel, security managers
are shouldered with the entire gamut of personnel management activities, just as any other
manager in an organization. Activities including finding and retaining talent, establishing
roles and responsibilities, creating job descriptions, participating in professional
development and training activities, and developing a team culture.
a Security managers are often required to develop a business case prior to upper management
approving new projects. A business case describes the activity in business terms and helps
management understand the costs and benefits of such endeavors.
a Security managers work with their IT partners to ensure that the organization’s networks
are adequately protected through the use of firewalls, application firewalls, network
segmentation, intrusion prevention systems (IPSs), network anomaly detection, packet
sniffers, web content filters, cloud access security brokers (CASB), DNS filters, phishing
filters, and network access controls for both wired and wireless networks.
a Security managers work with IT to ensure that endpoints are adequately protected through
the use of configuration management practices, including system hardening, malware
prevention, whole disk encryption, firewalls, IPSs, and web content filters.
a Organizations typically require their workers to undergo security awareness training at the
time of hire and annually thereafter. Typical security awareness training includes
opportunities for workers to practice skills such as creating good passwords and identifying
phishing e-mail messages. Typical training also includes competency testing with minimum
scores required for users to complete their training. Organizations usually maintain records
of each individual user’s training for a number of years.
a Security awareness training also includes messaging in other forms, including e-mail
messages from executives and from security leaders, posters, flyers, promotions, contests,
and announcements.
a In addition to training for office workers, many organizations also implement specialized
security training for information workers such as software developers, system engineers,
database administrators, network engineers, and security engineers.
a Organizations that outsource critical information-related services to third parties often
require those third-party organizations to implement security awareness training for their
employees.
Data Security
a ISACA defines data security as those controls that seek to maintain confidentiality, integrity,
and availability of information. Data security is the heart of everything concerned with
information security laws, standards, and practices.
a Typical data security topics include access management cryptography, backup and recovery,
data loss prevention, cloud access security brokers, and user behavior analytics.
a Cryptography is the practice of hiding information in plain sight. Put another way, encryption
is the practice of hiding information from unwanted persons. The purpose of encryption is to
make it difficult for unauthorized personnel to be able to access encrypted information.
a Encryption works by scrambling the characters in a message using a method known only to
the sender and receiver, making the message useless to any other party that intercepts the
message.
a Encryption is considered a form of access control; without knowledge of an encryption key
and other information, unauthorized parties are unable to access the plaintext (unencrypted)
form of information.
a Encryption is used to protect data in motion (data being transmitted from one system to
another over a network), at rest (while stored in a system in memory or in main storage), and
in transit (while stored on removable media being transported from one location to another).
a Encryption is used in many circumstances, including encryption of e-mail messages, data
stored on a removable storage devices, data stored in a database, data being transmitted
between a web server and a web browser, and data stored on backup media.
a Key management is the term used to describe policies, procedures, and tools that generate,
manage, protect, and dispose of encryption keys.
a Backup is a practice of making copies of critical information onto a separate storage system or
media device. The purpose of backup is to protect critical information from loss if some
event damages or destroys the original information.
a Replication is a practice wherein data being written to a storage system is copied (replicated)
to another storage system. Typically, for disaster recovery planning purposes, the other
storage system is located a large distance away from the main storage system.
a Data loss prevention (DLP) represents a variety of capabilities in which the movement and/or
storage of sensitive data can be detected and, optionally, controlled. DLP technology is
considered a content-aware control that some organizations use to detect and even control the
storage, transmission, and use of sensitive data.
a Cloud access security brokers (CASB) are products that monitor and, optionally, restrict users’
access to and use of cloud-based resources. CASB tools are typically used to help an
organization understand what Internet-based services are being used by their personnel.
a Digital rights management (DRM) represents access control technologies used to control the
distribution and use of electronic content. DRM is still considered an emerging technology
and practice.
a User behavior analytics (UBA) represents an emerging capability that enables organizations to
detect anomalous or abnormal behavior of its personnel. UBA systems observe users’
behavior over time and create events or alarms when user behavior deviates from the norm.
IT Service Management
a IT service management (ITSM) is the set of activities that ensures that the delivery of IT
services is efficient and effective, through active management and the continuous
improvement of processes. IT service management is defined by standards such as ITIL (IT
Infrastructure Library) and ISO/IEC 20000.
a Often known as the helpdesk, the IT service desk handles incidents and service requests on
behalf of customers by acting as a single point of contact. The service desk performs end-to-
end management of incidents and service requests (at least from the perspective of the
customer) and is also responsible for communicating status reports to the customer.
a Incident management is the collection of IT processes that detect and respond to unplanned
interruptions or reductions in quality of an IT service.
a Problem management is the set of activities designed to reduce the number of incidents.
a Change management is the set of processes that ensures all changes performed in an IT
environment are controlled and performed consistently.
a Configuration management (CM) is the process of recording and maintaining the configuration
of IT systems. Each configuration setting is known in ITSM jargon as a configuration item (CI).
a Release management is the term used to describe the portion of the SDLC where changes in
applications are made available to end users. Release management is used to control the
changes that are made to software programs, applications, and environments.
Controls
a The policies, procedures, mechanisms, systems, and other measures designed to reduce risk
are known as controls. They are a primary means used to influence important outcomes in an
IT environment.
a An organization develops controls to ensure that its business objectives will be met, risks will
be reduced, and errors will be prevented or corrected.
a Controls are used in two primary ways in an organization: they are created to ensure desired
outcomes, and they are created to avoid unwanted outcomes.
a There are many ways to look at controls to help you better understand them and how they
work. In the CISM Certified Information Security Manager All-In-One Exam Guide and CISM
Certified Information Security Manager Practice Exams books, controls are described using the
words “types,” “classes,” and “categories.” The types of controls are physical, technical, and
administrative. The classes of controls are preventive, detective, deterrent, corrective,
compensating, and recovery. The categories of controls are automatic and manual.
a Controls are generally organized into control frameworks, which are typically a hierarchy of
controls based on their context or by other means. Well-known control frameworks include
ISO/IEC 27002, NIST Cyber Security Framework, COBIT, NERC, Cloud Security Alliance,
NIST SP800-53, COSO, CIS-20, and PCI-DSS. Organizations are frequently required to
adhere to two or more control frameworks; this leads organizations to “map” all of the
controls into a single list of controls that is easier to manage.
a Generally computing controls (GCCs) are a general set of controls that apply across all of an
organization’s applications and services.
a Risk assessments are the primary means through which organizations will identify the need to
develop, modify, or remove individual controls in their control framework.
a The design of a control includes an explanation of its intent, a description of its scope, any
related policies or procedures, and the names of parties responsible for the correct operation
of a control.
a Controls are generally monitored so that management has a way of knowing whether the
control is being operated. Although controls need to be designed so that they can be
monitored, some controls are inherently difficult to monitor.
a Organizations typically have assessments performed against their controls as a way of
identifying whether controls are effective.
a Organizations that act as information-related service providers implement service
organization controls (SOC) and undergo assessments of these controls. There are
established standards for SOC controls and their audits, known as SOC1, SOC2, and SOC3.
a Organizations that decide to implement a set of controls have two basic choices: they can
implement a standard control framework such as ISO/IEC 27002 or NIST SP800-53, or they
can develop controls from scratch.
a When building or improving a metrics program, security managers need to consider the
purpose of any particular metric and the audience to whom it is sent. A common mistake
made by security managers is the publication of metrics to various audiences without first
understanding whether any individual metric will have meaning to any particular person.
Continuous Improvement
a Continuous improvement represents the desire to increase the efficiency and effectiveness of
processes and controls over time.
a Several security standards require that an organization adopt a culture of continuous
improvement, including ISO/IEC 27001, NIST SP800-53, and NIST Cyber Security
Framework.
Chapter 4:
Information Security Incident Management
Although security incident response, business continuity planning, and disaster recovery planning
are often considered separate disciplines, they share a common objective: the secure continuity of
business operations during and after a threat event. There are a wide variety of threat events that, if
realized, will call upon one or more of the three disciplines in response:
a Security incident response, business continuity, and disaster recovery all require advance
planning, so that the organization will have discussed, documented, and outlined the
responses required for various types of incidents in advance of their occurrence.
a Risk assessments are the foundation of planning for all three disciplines, as it is necessary to
discover relevant risks and to establish priorities during response.
affected device or system from a recent backup, or even replacing affected hardware if it has
been damaged as a result of the incident.
a The remediation step of incident response involves steps taken to prevent the incident (or a
similar incident) from recurring. This may include changing the security configuration of a
system, installing a patch, changing a firewall (or other security device) configuration,
changing access controls, or changing network or system architecture. Remediation may
instead focus on changes to policies, controls, procedures, or standards.
a The closure step of incident response occurs when all response activities have been
completed.
a The post-incident review step of incident response consists of a lengthy discussion of the
entire incident, including its discovery and all phases of response. The purpose of the post
incident review is to identify potential improvements in affected systems, detection methods,
and response methods.
a The retention of evidence step of incident response is concerned with the archival of
information about the incident, including forensic evidence and other records, in the event
that legal proceedings occur at a later time. Thus, any such evidence is typically gathered and
managed through chain of custody procedures to ensure the integrity of the evidence.
a While developing an incident response plan, a security manager needs to understand what
resources are available to detect and respond to an incident. Such resources include
personnel, retainer agreements with third-party organizations (such as forensic
investigators), and tools for incident detection as well as analysis and response.
a A security incident response plan needs to contain information about specific roles and
responsibilities to ensure that a security incident is handled properly and promptly.
a Prior to developing an incident response plan, a security manager should determine the
current response plan and the desired plan and perform a gap analysis to determine what
additions, changes, and improvements are needed.
a A security incident response plan typically includes policy, roles and responsibilities,
communications procedures, and recordkeeping. Some response plans include a set of
playbooks, which are more detailed response procedures for specific security incident
scenarios.
a Incident response plans need to account for incidents that may occur in critical third-party
organizations. Coordination of incident response between the organization and the third
party is essential in such situations.
a Incident response plans generally include a scheme for classifying an incident. Criteria for
incident classification include the scope of impact of an incident as well as whether there are
requirements to notify affected parties.
a Incident response plans include escalation procedures, generally associated with incident
classifications.
a Organizations should review and update their incident response plan documents at least
once per year as well as any time a significant change is made in an organization or its
supporting systems.
a Organizations should periodically test personnel to ensure that they remain familiar with
response procedures and to confirm that response procedures are still appropriate and up-to-
date. Tabletop testing incorporates a simulation of an actual incident, which adds realism to
the test. Testing an incident response plan can also serve as training for incident responders.
a The detection phase marks the start of an organization’s awareness of a security incident. In
many cases, a period of time elapses between the start of the actual incident and the moment
the organization becomes aware of it. This period of time is known as dwell time.
a The ability to detect an intrusion or incident requires a capability known as event visibility.
Typically, event visibility is achieved through the use of event log collection and analysis
tools or via an employee, a customer or client, social media, a regulator, a security
researcher, or law enforcement.
a When an organization has realized that a security incident has taken place or is still taking
place, an incident responder or other person will make an incident declaration. An
organization’s security incident response plan should include a procedure for declaring an
incident.
a The evaluation phase of security incident response is concerned with the examination of
available information that reveals the nature of the incident. This may include the use of
forensic examination techniques that permit the examiner to determine how an incident was
able to occur. Incidents are often classified at the conclusion of the evaluation phase.
a The eradication phase of security incident response is concerned with the removal of the
agent(s) or factor(s) that caused or aided the incident. Depending on the nature of the
incident, this may involve the removal of physical subjects from a work center or information
processing center, or the removal of malware from one or more affected systems.
a The recovery phase focuses on the restoration of affected systems and assets to their pre-
incident state. Recovery is performed after eradication is completed; this means that any
malware or other tools used by the intruder have been removed.
a The remediation phase involves the remediation of any vulnerabilities that were exploited
during the incident. This includes, but is not limited to, technical vulnerabilities that may
have permitted malware exploits to work, but also any supporting technology, business
process, or personnel training vulnerabilities.
a The closure phase is marked by an end of response activities. Here, forensic evidence and
communications records are archived, and internal personnel and outside authorities are
notified.
a A post incident review includes a discussion that identifies what went well during the incident
and what could have been handled or performed in a better way.