Module 5: Incident Response and Contingency Planning

5.1 🤔 The Need for Contingency Planning

Contingency planning (CP) addresses unexpected adverse events that

disrupt technology use and halt business operations. An organization's ability
to withstand losses from such events hinges on proper planning and
execution. Without a plan, an adverse event can severely damage
information resources and assets, potentially causing irreparable harm. Over
40% of businesses without a disaster plan fail after a major loss (Hartford
Insurance).

5.2 🧱 Major Components of Contingency Planning

Contingency planning encompasses four key components:

 Business Impact Analysis (BIA): Assesses the impact of various

adverse events on the organization. It assumes security controls have
failed and the attack was successful.

 Incident Response Plan (IR Plan): Outlines the steps to take during
and after a security incident.

 Disaster Recovery Plan (DR Plan): Details the procedures for

recovering from a disaster that significantly disrupts operations.

 Business Continuity Plan (BC Plan): Focuses on maintaining

essential business operations during and after a disruptive event.

These components can be integrated into a single unified plan or developed

separately with interlocking procedures.

5.3 🎯 Components of Crisis Management (Not explicitly defined in

this transcript)

This section is not covered in the provided transcript.

5.4 🧪 Testing Contingency Plans

The transcript does not explicitly cover how to test contingency plans, but it
mentions that testing is a critical part of the process (NIST recommends it).

NIST CP Methodology

The NIST recommends these steps for developing a CP document:

1. Develop the CP policy statement.

 2. Conduct the BIA.

3. Identify preventive controls.

4. Create contingency strategies.

5. Develop a contingency plan.

6. Ensure plan testing, training, and exercises.

7. Ensure plan maintenance.

CP Policy Components

A comprehensive CP policy should include:

 An introductory statement from senior management.

 The scope and purpose of CP operations.

 A requirement for periodic risk assessment and BIA.

 A description of CP's major components.

 Guidance on selecting recovery options and business continuity

strategies.

 A requirement for regular plan testing.

 Identification of relevant regulations and standards.

 Identification of key personnel responsible for CP.

 A request for support from all organizational members.

 Additional administrative information.

Individuals and Teams Involved in CP

The Contingency Planning Management Team (CPMT) typically

includes:

 Champion

 Project manager

 Team members

 Business managers

 IT managers
  Information security managers

 Representatives from supplemental planning teams (IR, DR, BC, CM)

Business Impact Analysis (BIA)

The BIA is the initial phase of CP. It investigates and assesses the impact of
various adverse events on the organization. The key difference between BIA
and risk management is that risk management focuses on preventing
attacks, while BIA assumes that controls have failed and the attack was
successful.

BIA Considerations

When conducting a BIA, consider:

 Scope: Define the boundaries of the analysis.

 Plan: Develop a structured approach to the analysis.

 Balance: Ensure a comprehensive yet practical assessment.

 Objective: Remain impartial and data-driven.

 Follow-up: Establish procedures for reviewing and updating the BIA.

BIA Stages (According to NIST SP 800-34, Rev. 1)

1. Determine mission/business processes and recovery criticality.

2. Identify resource requirements.

3. Identify recovery priorities for system resources.

Determining Business Process and Recovery Criticality

This involves analyzing and prioritizing business processes based on their

importance to the organization's mission. Each department is evaluated to
determine the importance of its functions. A weighted analysis table and BIA
questionnaires can be helpful tools.

Example Weighted Table Analysis of Business Processes

Impact on Impact on Product/Service Impact on Market

Criterion Profitability Delivery Share

Criterion
1 0.25 0.3 0.15
 Impact on Impact on Product/Service Impact on Market
Criterion Profitability Delivery Share

... ... ... ...

(Note: The table is incomplete in the transcript. More rows are needed.)

📊 Business Impact Analysis (BIA) 📊

The Business Impact Analysis (BIA) is a critical process that helps

organizations assess the potential impact of disruptions to their business
operations. This analysis is used to identify the mission/business
processes that are critical to the organization's success.

Weighted Table Analysis

A Weighted Table Analysis is a method used to evaluate the importance of

different business processes. The table below shows an example of a
weighted table analysis:

Impact on
Impact on Impact on Impact on Market Impact o
Process Revenue Profitability Product/Service Share Reputati

Customer Sales 5 5 5 5 4

Production 5 5 5 3 3

Information
Security 3 3 3 3 5

IT Services 4 3 4 2 2

Customer
Services 2 3 2 1 4

Research and
Development 1 1 2 3 3

Employee 1 1 2 1 2
 Impact on
Impact on Impact on Impact on Market Impact o
Process Revenue Profitability Product/Service Share Reputati

Support Services

Information Asset Prioritization

Information Asset Prioritization is the process of identifying and

prioritizing the information assets used by an organization's business
processes. This is done to understand the potential impact of a disruption to
these assets.

The presence of high-value information assets may influence the valuation of

a particular business process.

Identify Recovery Resource Requirements

Once the organization has created a prioritized list of its mission/business

processes, it needs to determine what resources would be required to
recover those processes and the assets associated with them.
A Resource/Component Table can be used to organize this information.

Example Resource/Component Table

Additional Resource D
Mission/Business Process Required Resource Estimated Costs

Provide Customer Support Trouble ticket and resolution Application server with
(Help-Desk) application and SQL database

Provide Customer Support 25 Cat5e network drop

(Help-Desk) Help-desk network segment hub

Provide Customer Support 1 laptop/PC per technic

(Help-Desk) Help-desk access terminals browsing software

Customized accounts receivable Application server with

Provide Customer Billing application and SQL database

📈 System Resource Recovery Priorities 📈

The last stage of the BIA is prioritizing the resources associated with the
mission/business processes. This provides a better understanding of what
must be recovered first, even within the most critical processes.

 A simple valuation and classification scale, such as

Primary/Secondary/Tertiary, or Critical/Very
Important/Important/Routine, can be used to provide a quicker method
of valuing the supporting resources.

 Weighted tables can be used to evaluate the importance of different

resources.

📝 Contingency Planning Policies 📝

Contingency Planning Policies provide guidance on the structure of the

subordinate teams and the philosophy of the organization. These policies
assist in the structuring of the plan and define the related roles and
responsibilities for each element of the overall contingency planning
environment.

🚨 Incident Response 🚨

Incident Response is the process of responding to and managing the

aftermath of a security incident. This includes detecting, reacting to, and
recovering from attacks, employee errors, service outages, and small-scale
natural disasters.

Incident Response Policy

A typical Incident Response Policy should include:

 Statement of management commitment

 Purpose and objectives of the policy

 Scope of the policy

 Definition of InfoSec incidents and related terms

 Organizational structure and definition of roles, responsibilities, and

levels of authority

 Prioritization or severity ratings of incidents

 Performance measures

 Reporting and contact forms

NIST Incident Response Life Cycle

The NIST Incident Response Life Cycle provides a framework for incident
response. This includes:

 Detection and reporting of incidents

 Initial response and containment

 Eradication and recovery

 Post-incident activities

NIST Cybersecurity Framework

The NIST Cybersecurity Framework provides a framework for improving

critical infrastructure cybersecurity. This includes:

 Identify: Identify the organization's critical assets and data

 Protect: Implement measures to protect the organization's critical

assets and data

 Detect: Implement measures to detect and respond to security

incidents

 Respond: Respond to and manage the aftermath of a security incident

 Recover: Recover from a security incident and restore normal

operations# Incident Response Planning and Handling

What Constitutes an InfoSec Incident? 🤔

An event is classified as an InfoSec incident if it meets the following

criteria:

 It targets information assets.

 It has a realistic chance of success.

 It threatens the confidentiality, integrity, or availability of

information resources and assets.

It's crucial to remember that incident response (IR) is a reactive, not

preventive, measure, although IR plans often include preventive steps.

IR Planning 📝

The creation of an organization's IR plan typically falls under the

responsibility of the Chief Information Security Officer (CISO) or an IT
manager with security responsibilities. According to NIST SP 800-61, Rev. 2,
a comprehensive IR plan should include:

 Mission, strategies, and goals

 Senior management approval

 Organizational approach to incident response

 Incident response team communication protocols

 Metrics for measuring incident response capability and

effectiveness

 Roadmap for improving incident response capability

 Integration of the program within the overall organizational

structure

Incident Handling Procedures

For each incident scenario, the incident response team (IRT) develops three
sets of procedures:

 Before the incident: Proactive measures and preventative steps.

 During the incident: Actions taken while the incident is ongoing.

 After the incident: Post-incident analysis, recovery, and preventative

measures.

These procedures are documented and form the core of the IR plan.

The Computer Security Incident Response Team (CSIRT) 👨‍💻👩‍💻

The execution of the IR plan usually falls to the CSIRT. While some overlap
may occur, the CSIRT is distinct from the IR planning team (IRPT). It
comprises technical and managerial IT and InfoSec
professionals equipped to diagnose and respond to incidents. The CSIRT's
structure can vary widely; it might be an informal group or a highly
structured team with defined policies, procedures, technologies, personnel,
and data.

IR Actions: A Three-Phase Approach 🔄

Incident response actions are typically organized into three phases:

 Detection: Identifying an incident as early as possible to minimize

impact.
  Reaction: Responding swiftly and effectively to limit the scope and
impact of the incident.

 Recovery: Restoring normal operations and preventing recurrence.

NIST SP800-61, Rev. 2: Incident Handling Checklist ✅

This checklist outlines the steps involved in handling an incident, categorized

into phases:

Detection and Analysis:

Action Co

Determine if an incident occurred

Analyze precursors and indicators

Look for correlating information

Perform research

Begin documenting and gathering evidence

Prioritize incident handling

Report the incident

Containment, Eradication, and Recovery:

Action C

Acquire, preserve, and secure evidence

Contain the incident

Eradicate the incident

Identify and mitigate exploited vulnerabilities

Action C

Remove malware, etc.

Repeat Detection & Analysis if needed

Recover from the incident

Return systems to operational state

Confirm normal system functioning

Implement additional monitoring

Post-Incident Activity:

Action Comple

Create a follow-up report

Hold a lessons-learned meeting

Data Protection for Incident Preparedness 💾

Organizations can employ various methods to protect information and ensure

quick recovery after an incident:

 Traditional data backups

 Electronic vaulting

 Remote journaling

 Database shadowing

Industry best practices suggest following the 3-2-1 backup rule: three
copies of data on at least two different media, with one copy offsite. Regular
backups (daily on-site, weekly off-site) are recommended.

Detecting Incidents: Routine Events vs. Actual Incidents 🧐

Distinguishing routine events from actual incidents is crucial. Failing to
accurately identify an incident can lead to:

 Wasted resources on false alarms.

 Delayed responses to actual incidents, increasing damage.

Incident Candidates and Classification 🔎

Incident candidates are adverse events or abnormalities flagged by

monitoring tools or users. These require further analysis to determine if they
represent actual incidents. Incident classification involves examining an
adverse event to determine if it's a true incident. Reports from users,
intrusion detection systems, antivirus software, and system administrators
help identify candidates.

Incident Indicators 🤔

Indicators can be categorized as:

Possible Indicators:

 Presence of unfamiliar files

 Presence or execution of unknown programs/processes

 Unusual resource consumption

 Unusual system crashes

Probable Indicators:

 Activities at unexpected times

 Presence of new accounts

 Reported attacks

 IDS notifications

Definite Indicators:

 Use of dormant accounts

 Changes to logs

 Presence of hacker tools

 Notifications from partners/peers

 Notifications from hackers

Potential Incident Results:

 Loss of availability

 Loss of integrity

 Loss of confidentiality

 Policy violation

 Law violation

Knowledge Check Activity 2 🤔

Which of these is not a definite indicator that an event is an incident?

a. Use of dormant accounts b. Unusual system crashes c. Changes to logs d.

Presence of hacker tools

Answer: b. Unusual system crashes

Explanation: Unusual system crashes may be a possible indicator and

should be carefully investigated, but they do not rise to the level of a definite
indicator.

Reacting to Incidents 💥

Once an actual incident is confirmed and properly classified, the incident

response (IR) plan moves from the detection phase to the reaction phase.
The steps in IR are designed to stop the incident, mitigate its effects, and
provide information for recovery. In this phase, actions taken by the
Computer Security Incident Response Team (CSIRT) and others must occur
quickly and may happen concurrently.

Notification of Key Personnel 🚨

As soon as an incident is declared, the right people must be notified

immediately and in the right order.

 An alert roster is a document containing contact information for

individuals to be notified in the event of an incident, either sequentially
or hierarchically.

 The alert message is a scripted description of the incident.

 Other key personnel are notified only after the incident is confirmed
but before external sources learn of it.

Documenting an Incident 📝
As soon as an incident is confirmed and the notification process begins, the
team should start documenting it. The documentation should record the who,
what, when, where, why, and how of each action taken. This serves as a case
study to determine if the right actions were taken and if they were effective.
It can also prove the organization did everything possible to deter the spread
of the incident.

Incident Containment Strategies

The essential task of IR is to stop the incident and contain its scope or
impact. Incident containment strategies focus on:

 Stopping the incident

 Recovering control of affected systems

Typical containment strategies include:

 Disabling compromised user accounts

 Reconfiguring a firewall to block problem traffic

 Temporarily disabling the compromised process or service

 Taking down the conduit application or server

 Disconnecting the affected network or network segment

 Stopping all computers and network devices

Incident Escalation ⬆️

An incident may increase in scope or severity to the point that the IR plan
cannot adequately contain it. Each organization must determine, during the
business impact analysis, the point at which an incident becomes a disaster.
The organization must also document when to involve outside responders.

Recovering from Incidents 🔄

Once the incident is contained and system control regained, recovery can
begin.

 First, inform appropriate human resources.

 The CSIRT assesses the full extent of the damage to determine what
must be done to restore systems.
  Incident damage assessment: The immediate determination of the
scope of the breach of confidentiality, integrity, and availability of
information and information assets.

 Those who document the damage must be trained to collect and

preserve evidence.

The incident recovery process includes:

 Restoring data from backups as needed.

 Restoring services and processes.

 Continuously monitoring the system.

 Restoring the confidence of communities of interest. This involves

identifying vulnerabilities that allowed the incident to occur and
spread, resolving them, addressing safeguards that failed,
installing/replacing/upgrading them, and evaluating monitoring
capabilities.

Common Mistakes CSIRTs Make ❌

According to McAfee, CSIRTs commonly fail to:

 Appoint a clear chain of command.

 Establish a central operations center.

 Know their enemy.

 Develop a comprehensive IR plan with containment strategies.

 Record IR activities at all phases.

 Document events in a timeline.

 Distinguish incident containment from incident remediation.

 Secure and monitor networks and network devices.

 Establish and manage system and network logging.

 Establish and support effective antivirus and antimalware solutions.

NIST Recommendations for Incident Handling 💡

Acquire tools and resources. Prevent incidents from occurring. Identify

precursors and indicators through alerts. Establish mechanisms for outside
parties to report incidents. Require a baseline level of logging and auditing.
Profile networks and systems. Understand normal behaviors. Create a log
retention policy. Perform event correlation. Keep all host clocks synchronized.
Maintain and use a knowledge base. Start recording information as soon as
an incident is suspected. Safeguard incident data. Prioritize handling of
incidents. Include provisions for incident reporting in the organization's
incident response policy. Establish strategies and procedures for containing
incidents. Follow established procedures for evidence gathering and
handling. Capture volatile data as evidence. Obtain system snapshots. Hold
lessons-learned meetings after major incidents.

Organizational Philosophy on Incident and Disaster Handling ⚖️

When facing incidents and disasters stemming from intentional attacks,

organizations must choose one of two philosophies:

 Protect and forget (patch and proceed): Focuses on restoring

systems and operations quickly.

 Apprehend and prosecute (pursue and prosecute): Prioritizes

investigating the incident, identifying the perpetrator, and pursuing
legal action.

Digital Forensics 🧑‍💻

Digital forensics is used to determine what happened and how an incident

occurred. It's based on traditional forensic principles and involves:

 Preservation

 Identification

 Extraction

 Documentation

 Interpretation of digital media for evidentiary and/or root-cause

analysis

Evidentiary material (EM): any item or information that applies to an

organization's legal or policy-based case.

Digital forensics serves two key purposes:

1. Investigating allegations of digital malfeasance

2. Performing root-cause analysis

Organizations typically choose one of two approaches:

 1. Protect and forget: (patch and proceed)

2. Apprehend and prosecute: (pursue and prosecute)

The Digital Forensics Team ‍♀️

Most organizations can't maintain a permanent digital forensics team. They

usually collect data and outsource the analysis. Information security
personnel should be trained to understand and manage the forensics process
to avoid contaminating potential EM. Expertise can be gained through
training.

Digital Forensics Methodology 🔎

All investigations follow this basic methodology:

1. Identify relevant EM.

2. Acquire (seize) the evidence without alteration or damage.

3. Ensure the evidence is verifiably authentic and unchanged from the

time it was seized.

4. Analyze the data without risking modification or unauthorized access.

5. Report the findings to the proper authority.

Evidentiary Procedures 📜

Strong procedures for handling potential evidentiary material minimize the

probability of losing a legal challenge. Organizations should develop specific
procedures and guidance, supported by a procedures manual.

Disaster Recovery (DR) 💥

Disaster recovery planning (DRP): Preparation for and recovery from a

disaster (natural or human-made). An incident becomes a disaster when:

The organization can't contain or control the impact, or the damage is so

severe that quick recovery is impossible.

The key role of a DR plan is defining how to reestablish operations at the

primary site.

The Continuity Planning (CP) team creates the Disaster Recovery

Planning Team (DRPT). The DRPT organizes and prepares Disaster
Recovery Response Teams (DRRTs) to implement the DR plan. These
teams have multiple responsibilities:
  Recover salvageable information assets from the primary facility.

 Acquire replacement information assets.

 Reestablish functional information assets at the primary site (or a new

one, if necessary).

Some common DRRTs include:

 DR management

 Data management

 Communications

 Vendor contact

 Computer recovery

 Damage assessment and salvage (hardware)

 Business interface

 Systems recovery (OS)

 Network recovery

 Logistics

 Storage recovery

 Applications recovery

 Others as needed

Disaster Recovery Process 🔄

The NIST methodology, adapted for DRP, includes:

1. Organize the DR team.

2. Develop the DR planning policy statement.

3. Review the BIA (Business Impact Analysis).

4. Identify preventive controls.

5. Create DR strategies.

6. Develop the DR plan document.

7. Ensure DR plan testing, training, and exercises.

 8. Ensure DR plan maintenance.

Disaster Recovery Policy 📄

The DR team, led by a designated manager, develops the DR policy. It

contains:

 Purpose

 Scope

 Roles and responsibilities

 Resource requirements

 Training requirements

 Exercise and testing schedules

 Plan maintenance schedule

 Special considerations

Disaster Classifications ⚠️

DR plans classify disasters in several ways:

 Natural disasters

 Human-made disasters

Disasters can also be classified by their rate of occurrence:

 Rapid-onset disasters

 Slow-onset disasters

Examples of Natural Disasters:

 Fire

 Flood

 Earthquake

 Lightning

 Landslide or mudslide

 Tornado or severe windstorm

 Hurricane or typhoon
  Tsunami

 Electrostatic discharge (ESD)

 Dust contamination

Planning to Recover 🚧

Scenario development and impact analysis categorize the threat level of

each potential disaster. When generating a DR scenario, start with the most
important asset: people.

Key points in the DR plan:

1. Clear delegation of roles and responsibilities

2. Execution of the alert roster and notification of key personnel

3. Clear establishment of priorities

4. Documentation of the disaster

5. Action steps to mitigate the impact

6. Alternative implementations for the various systems components

Simple DR Plan Elements 📝

A simple DR plan includes:

 Name of agency

 Date of completion/update and most recent test

 Agency staff to be called in a disaster

 Emergency services to be called (if needed)

 Locations of in-house emergency equipment and supplies

 Sources of off-site equipment and supplies

 Salvage priority list

 Agency disaster recovery procedures

 Follow-up assessment

Knowledge Check: When generating a disaster scenario for planning

or rehearsal, start with the most important asset: people.

Business Continuity (BC) Planning 🧑‍💼

Business Continuity (BC): Strategies that ensure critical business
functions continue during a disaster, allowing operations to resume even
after significant disruption. Managed by the CEO or COO.

Business Continuity Planning (BCP): The process of creating and

implementing BC strategies. Runs concurrently with DRP (Disaster Recovery
Plan).

BCP vs. DRP: While BCP focuses on re-establishing critical functions at

an alternate site, DRP centers on reestablishment at the primary site.

NIST Methodology for BC Planning

The NIST (National Institute of Standards and Technology) methodology

provides a structured approach to BCP:

1. Form the BC team.

2. Develop the BC planning policy statement.

3. Review the BIA (Business Impact Analysis).

4. Identify preventive controls.

5. Create relocation strategies.

6. Develop the BC plan.

7. Ensure BC plan testing, training, and exercises.

8. Ensure BC plan maintenance.

Business Continuity Policy Components 📄

A comprehensive BC policy should include:

 Purpose: The overall goal of the plan.

 Scope: What aspects of the business are covered.

 Roles and Responsibilities: Who is responsible for what.

 Resource Requirements: The resources needed (personnel,

technology, etc.).

 Training Requirements: Training needed for personnel.

 Exercise and Testing Schedules: Regular testing and drills.

 Plan Maintenance Schedule: Regular updates and revisions.

  Special Considerations: Any unique aspects of the organization.

Crisis Management 🚨

Crisis Management (CM): Focuses on the human impact of a disaster,

prioritizing the safety and well-being of personnel and the organization's
reputation. Often handled separately from DRP, sometimes as a subset.

Crisis Management Team Roles 🤝

According to Gartner Research, the crisis management team's

responsibilities include:

 Supporting personnel and their families during the crisis.

 Keeping the public informed.

 Communicating with stakeholders (customers, suppliers, partners,

agencies, media, etc.).

Crisis Management Planning Team (CMPT) Responsibilities

The CMPT establishes a command center and has three primary

responsibilities:

1. Verifying personnel status.

2. Activating the alert roster.

3. Coordinating with emergency services.

Initial Focus of Crisis Management

The initial priority in a crisis is the safety of staff, visitors, and the
public.

Business Resumption Planning (BRP) 🔄

Business Resumption Planning (BRP): Merges DR and BC planning into a

single, comprehensive plan. Supports re-establishment of operations at an
alternate site and eventually at the primary site.

Contingency Plan Testing 🧪

Testing is crucial to identify weaknesses and improve plans. Four testing

strategies are available:

 Desk check: Review of the plan by the team.

 Structured walk-through: A step-by-step review of the plan.

  Simulation: A simulated disaster scenario.

 Full interruption: A real-world test of the plan.

Continuous Process Improvement (CPI) 📈

Continuous Process Improvement (CPI): A formal methodology for

iteratively improving contingency plans. Each rehearsal provides
opportunities to identify areas for refinement and improvement.

Contingency Planning Process 🚧

The creation of contingency plan (CP) components uses a seven-step

process:

1. Develop the contingency planning policy statement.

2. Conduct the BIA (Business Impact Analysis).

3. Identify preventive controls.

4. Create contingency strategies.

5. Develop a contingency plan.

6. Ensure plan testing, training, and exercises.

7. Ensure plan maintenance.

Teams Involved in Contingency Planning 🧑‍💼

Four teams are involved:

 CP team: Creates the contingency plan.

 IR team: Incident Response team; ensures the CSIRT (Computer

Security Incident Response Team) is formed. The IR plan details
processes and procedures for planning, detecting, and resolving
unexpected event effects on information resources and assets. For
each scenario, they create procedures for before, during, and after the
incident to detect, contain, and resolve it. Incident classification
determines if a candidate constitutes an actual incident, using
possible, probable, and definite indicators.

 DR team: Disaster Recovery team.

 BC team: Business Continuity team.

Incident Classification and Digital Forensics 🔎

An actual incident is in progress when:

 Loss of availability of information

 Loss of integrity of information

 Loss of confidentiality of information

 Violation of policy

 Violation of law

Digital forensics: The investigation of wrongdoing in information security.

It involves preserving, identifying, extracting, documenting, and interpreting
computer media for evidence and root cause analysis.

Disaster Recovery and Business Continuity Planning 📁

 Disaster Recovery (DR) planning: Prepares for handling and

recovering from disasters (natural or human-made).

 Business Continuity (BC) planning: Ensures critical business

functions continue during catastrophic incidents or disasters. BC plans
may include:

 Hot sites

 Warm sites

 Cold sites

 Timeshares

 Service bureaus

 Mutual agreements

Business Resumption Planning 🤝

DR and BC plans are closely related; many organizations prepare both

simultaneously, combining them into a business resumption (BR) plan.
The DR plan should include crisis management (actions taken during and
after a disaster). Crisis management may have its own policy and plan if
protecting human life and the organization's image are high priorities. All
plans must be tested (vulnerabilities, faults, inefficiencies) using strategies
such as:

 Desk check
 Structured walk-through

 Simulation

 Full interruption