Professional Documents
Culture Documents
Isaca: Trust In, and Value From, Information Systems
Isaca: Trust In, and Value From, Information Systems
Chapter 5
Incident Management and
Response
Course Agenda
• Learning objectives
• Discuss task and knowledge statements
• Discuss specific topics within the chapter
• Case studies
• Sample questions
Exam Relevance
• Plans must be
– Clearly documented
– Readily accessible
– Based on the long range IT plan
– Consistent with the overall business continuity
and security strategies
5.4.1 Incident Management and
Response (continued)
• A scope/charter document
– Formally establishes the IMT
– Documents its responsibility to manage and respond to
security incidents
• Sections of the charter should include:
– Mission
– Scope
– Organizational structure
– Information flow
– Services provided
5.7.1 Responsibilities
• Personal skills
– Communication
– Presentation skills
– Ability to follow policies and procedures
– Team skills
– Integrity
– Self understanding
– Coping with stress
– Problem solving
– Time management
5.11.5 Skills (continued)
• Technical skills
– Technical foundation skills—Require a
basic understanding of the underlying
technologies used by the organization
– Incident handling skills—Require an
understanding of the techniques,
decision points and supporting tools
required in daily activities
5.11.7 Audits
• A BIA should
– Establish the escalation of loss over time
– Identify the minimum resources needed for recovery
– Prioritize the recovery of processes and supporting
systems
5.11.8 Business Impact
Analysis / Assessment
(continued)
BIAs often have the following elements in common
• Describe the business mission of each particular
business/cost center
• Identify the functions that characterize each business
function
• Identify critical processing cycles (in terms of time
intervals) for each function
• Estimate the impact of each type of incident on business
operations
• Identify the resources and activities required to restore an
acceptable level of operation
• Estimate the amount of time that recovering from each
type of incident is likely to take
5.11.8 Business Impact
Analysis / Assessment
(continued)
Conducting BIAs produces several important
major benefits, including:
• Increasing the understanding of the amount of
potential loss, and various other undesirable
effects that could occur from certain types of
incidents
• Facilitating all response management activities
• Raising the level of awareness for response
management within an organization
5.12 Current State of Incident
Response Capability
Ways to identify the current state of
incident response capability include:
• Survey of senior management, business
managers and IT representatives
• Self-assessment
• External assessment or audit
5.12.1 History of Incidents
• RPO
– Is a measurement of the point prior to an
outage to which data are to be restored
– Describes the state of recovery that
should be achieved to facilitate
acceptable outcomes
5.13.1 Elements of an Incident
Response Plan
• If an incident occurs:
– The information security staff needs
documented procedures so that information
can be properly recorded and preserved
– The ISM should develop data/evidence
preservation procedures
– The information systems staff must understand
basic procedures, including taking no action
that could change/modify/contaminate potential
or actual evidence
5.17.1 Establishing Procedures
(continued)
The initial response by the system administrator
should include:
• Retrieving information needed to confirm an
incident
• Identifying the scope and size of the affected
environment (e.g., networks, systems, applications)
• Determining the degree of loss, modification or
damage (if any)
• Identifying the possible path or means of attack
5.17.2 Requirements for
Evidence