J. A. “Drew” Hamilton, Jr., Ph.D.

Chair, NSA Cyber Operations Community of Practice

Director, Center for Cyber Innovation
Professor, Computer Science & Engineering
This work funded by NSA Contract #H98230-19-1-0291

CCI Voice: (662) 325-2294

2 Research Blvd. Fax: (662) 325-7692
Starkville, MS 39759 [email protected]

Certified Information Security Manager – Domain 4 1

Domain 4: Information Security
Incident Management

References:
Drew Hamilton Lecture Notes
CISM Review Manual, 15th Edition
CISM All-in-One Exam Guide, 1st Edition

Certified Information Security Manager – Domain 4 2

 Domain Outline

• Information Security Incident Management

Overview
• Incident Response Procedures
Incident Management Organization
• Incident Management Resources and Objectives
• Incident Management Metrics and Indicators
• Developing an Incident Management Plan
• Business Continuity and Disaster Recovery Plans
• Executing Response and Recovery Plans
Post-incident Activities and Investigation

Certified Information Security Manager – Domain 4 3

 Information Security Incident
Management Overview

Domain 4:
Information Security Incident Management
References: ISACA CISM Review Manual 15th Ed.
NIST SP 800-61r2 Incident Response

Certified Information Security Manager – Domain 4 4

 What is Incident Management?

• Emergency Operations Component of Risk

Management
• Incident Management Factors
– Constituency to be served
– Mission, goals and objectives
– Services provided
– Organizational model and the relationship with the
parent organization or customer base.
– Funding for start-up costs and ongoing operations
– Resources needed by the computer security incident
response team (CSIRT)

Certified Information Security Manager – Domain 4 5

 What is a computer security incident?
• An attacker commands a botnet to send high
volumes of connection requests to a web server,
causing it to crash.
• Users are tricked into opening a “quarterly report”
sent via email that is actually malware; running the
tool has infected their computers and established
connections with an external host.
• An attacker obtains sensitive data and threatens
that the details will be released publicly if the
organization does not pay a designated sum of
money.
• A user provides or exposes sensitive information to
others through peer-to-peer file sharing services.
Certified Information Security Manager – Domain 4 6
 Incident Response Policy Elements
• Statement of management commitment
• Purpose and objectives of the policy
• Scope of the policy
– (to whom and what it applies and under what
circumstances)
• Definition of computer security incidents and
related terms
• Organizational structure and definition of roles,
responsibilities, and levels of authority
• Prioritization or severity ratings of incidents
• Performance measures
• Reporting and contact forms.
Certified Information Security Manager – Domain 4 7
 Incident Response Plan
• Mission
• Strategies and goals
• Senior management approval
• Organizational approach to incident response
• How the incident response team will communicate
with the rest of the organization and with other
organizations
• Metrics for measuring the incident response
capability and its effectiveness
• Roadmap for maturing the incident response
capability
• How the program fits into the overall organization.
Certified Information Security Manager – Domain 4 8
ISACA Incident Response Plan Elements

• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons Learned

Certified Information Security Manager – Domain 4 9

 Incident Response Procedure Elements
• Procedures should be based on the incident
response policy and plan.
– Standard operating procedures (SOPs) are a delineation of
the specific technical processes, techniques, checklists,
and forms used by the incident response team.
– SOPs should be reasonably comprehensive and detailed to
ensure that the priorities of the organization are reflected in
response operations.
– In addition, following standardized responses should
minimize errors, particularly those that might be caused by
stressful incident handling situations.
– SOPs should be tested to validate their accuracy and
usefulness, then distributed to all team members.
– Training should be provided for SOP users; the SOP
documents can be used as an instructional tool. Suggested
SOP elements
Certifiedare presented
Information throughout
Security Manager – Section
Domain 4 3. 10
Communications with Outside Parties

Certified Information Security Manager – Domain 4 11

 The Media
• Conduct training sessions on interacting with the media
regarding incidents, which should include the importance of
not revealing sensitive information,
– such as technical details of countermeasures that could assist
other attackers, and the positive aspects of communicating
important information to the public fully and effectively.
• Establish procedures to brief media contacts on the issues
and sensitivities regarding a particular incident before
discussing it with the media.
• Maintain a statement of the current status of the incident so
that communications with the media are consistent and up-
to-date.
• Remind all staff of the general procedures for handling media
inquiries.

Certified Information Security Manager – Domain 4 12

 Mock Inerviews

• The following are examples of questions to ask

the media contact:
• Who attacked you? Why?
• When did it happen? How did it happen? Did this
happen because you have poor security
practices?
• How widespread is this incident? What steps are
you taking to determine what happened and to
prevent future occurrences?
• What is the impact of this incident? Was any
personally identifiable information (PII) exposed?
What is the estimated cost of this incident?
Certified Information Security Manager – Domain 4 13
 Other Outside Parties (1)

• Organization’s ISP.
– An organization may need assistance from its ISP in
blocking a major network-based attack or tracing its
origin.
• Owners of Attacking Addresses.
– If attacks are originating from an external organization’s
IP address space, incident handlers may want to talk to
the designated security contacts for the organization to
alert them to the activity or to ask them to collect
evidence.
– It is highly recommended to coordinate such
communications with US-CERT or an ISAC.

Certified Information Security Manager – Domain 4 14

 Other Outside Parties (2)
• Software Vendors.
– Incident handlers may want to speak to a software
vendor about suspicious activity.
– This contact could include questions regarding the
significance of certain log entries or known false
positives for certain intrusion detection signatures,
where minimal information regarding the incident may
need to be revealed.
– More information may need to be provided in some
cases—for example, if a server appears to have been
compromised through an unknown software
vulnerability.
– Software vendors may also provide information on
known threats (e.g., new attacks) to help organizations
understand the current threat environment.
Certified Information Security Manager – Domain 4 15
 Other Outside Parties (3)
• Other Incident Response Teams.
– An organization may experience an incident that is
similar to ones handled by other teams; proactively
sharing information can facilitate more effective and
efficient incident handling
• Affected External Parties.
– An incident may affect external parties directly—for
example, an outside organization may contact the
organization and claim that one of the organization’s
users is attacking it. Another way in which external
parties may be affected is if an attacker gains access to
sensitive information regarding them, such as credit
card information. In some jurisdictions, organizations
are required to notify all parties that are affected by
such an incident.

Certified Information Security Manager – Domain 4 16

 ISACA Gap Analysis

• Gap Analysis – between current incident

response capabilities and desired capabilities.
• Processes that need to be improved to be more
efficient and effective
• Resources needed to achieve the objectives for
the incident response capability

Certified Information Security Manager – Domain 4 17

 Incident Response Procedures
Incident Management Organization

Domain 4:
Information Security Incident Management

Certified Information Security Manager – Domain 4 18

NIST Incident Response Life Cycle

Certified Information Security Manager – Domain 4 19

 Incident Response Preparation
Incident Handler Communications
• Contact information for team members and others within and outside
the organization
– On-call information for other teams within the organization, including escalation
information
• Incident reporting mechanisms
– phone numbers, email addresses, online forms, and secure instant
messaging systems that users can use to report suspected incidents; at
least one mechanism should permit people to report incidents
anonymously
• Issue tracking system
– for tracking incident information, status, etc.
• Smartphones to be carried by team members for off-hour support and
onsite communications
• Encryption software to be used for communications among team
members, within the organization and with external parties
• War room for central communication and coordination
Certified Information Security Manager – Domain 4 20
• Secure storage for securing evidence & other sensitive materials
 Incident Response Preparation
Incident Analysis Hardware & Software
• Digital forensic workstations and/or backup devices to create disk
images, preserve log files, and save other relevant incident data
• Laptops for analyzing data, sniffing packets, and writing reports
• Spares
– workstations, servers, and networking equipment, or the virtualized equivalents as
restoring backups and trying out malware
• Blank removable media
• Portable printer to print copies of log files and other evidence
• Packet sniffers & protocol analyzers
– capture and analyze network traffic
• Digital forensic software to analyze disk images
• Removable media with trusted versions of programs to be used to
gather evidence from systems
• Evidence gathering accessories
– including hard-bound notebooks, digital cameras, audio recorders, chain of
Certified
custody forms, Information
evidence Security
storage Manager
bags and – Domain
tags, and 21
4 tape, to preserve
evidence
evidence for possible legal actions
 Incident Response Preparation
Incident Analysis Resources
• Port lists, including commonly used ports and Trojan
horse ports
• Documentation for OSs, applications, protocols, and
intrusion detection and antivirus products
• Network diagrams and lists of critical assets, such as
database servers
• Current baselines of expected network, system, and
application activity
• Cryptographic hashes of critical files22 to speed incident
analysis, verification, and eradication
• Incident Mitigation Software:
– Access to images of clean OS and application installations for
restoration and recovery purposes 22
Certified Information Security Manager – Domain 4
 Detection and Analysis

Certified Information Security Manager – Domain 4 23

 Detection and Analysis
Attack Vectors (1 of 2)
• External/Removable Media:
– An attack executed from removable media or a peripheral device—for
example, malicious code spreading onto a system from an infected USB
flash drive.
• Attrition:
– An attack that employs brute force methods to compromise, degrade, or
destroy systems, networks, or services (e.g., a DDoS intended to impair or
deny access to a service or application; a brute force attack against an
authentication mechanism, such as passwords, CAPTCHAS, or digital
signatures).
• Web:
– An attack executed from a website or web-based application—for example,
a cross-site scripting attack used to steal credentials or a redirect to a site
that exploits a browser vulnerability and installs malware.
• Email:
– An attack executed via an email message or attachment—for example,
exploit code disguised
Certified as anSecurity
Information attached document
Manager or a 4link to a malicious
– Domain 24
website in the body of an email message.
 Detection and Analysis
Attack Vectors (2 of 2)
• Impersonation:
– An attack involving replacement of something benign with something
malicious—for example, spoofing, man in the middle attacks, rogue
wireless access points, and SQL injection attacks all involve
impersonation.
• Improper Usage:
– Any incident resulting from violation of an organization’s acceptable
usage policies by an authorized user, excluding the above categories; for
example, a user installs file sharing software, leading to the loss of
sensitive data; or a user performs illegal activities on a system.
• Loss or Theft of Equipment:
– The loss or theft of a computing device or media used by the organization,
such as a laptop, smartphone, or authentication token.
• Other:
– An attack that does not fit into any of the other categories.

Certified Information Security Manager – Domain 4 25

 Detection and Analysis
Signs of an Incident
• Incidents may be detected through many different
means, with varying levels of detail and fidelity.
– Automated detection capabilities include network-based and
host-based IDPSs, antivirus software, and log analyzers.
Incidents may also be detected through manual means, such
as problems reported by users. Some incidents have overt
signs that can be easily detected, whereas others are almost
impossible to detect.
• The volume of potential signs of incidents is typically
high
– not uncommon for an organization to receive thousands or
even millions of intrusion detection sensor alerts per day.
• Deep, specialized technical knowledge and extensive
experience are necessary for proper and efficient
analysisCertified
of incident-related
Information Securitydata.
Manager – Domain 4 26
 Detection and Analysis
Signs of an Incident - Precursors
• Web server log entries that show the usage of a
vulnerability scanner
• An announcement of a new exploit that targets a
vulnerability of the organization’s mail server
• A threat from a group stating that the group will attack
the organization.

Certified Information Security Manager – Domain 4 27

 Alerts & Logs
Certified Information Security Manager – Domain 4 28
Precursors and Indicators (2)

Certified Information Security Manager – Domain 4 29

 Detection and Analysis
Incident Prevention (1 of 2)
• Risk Assessments.
– Periodic risk assessments of systems and applications should
determine what risks are posed by combinations of threats and
vulnerabilities.
• This should include understanding the applicable threats, including
organization-specific threats.
• Each risk should be prioritized, and the risks can be mitigated,
transferred, or accepted until a reasonable overall level of risk is
reached.
• Host Security.
– All hosts should be hardened appropriately using standard
configurations.
• In addition to keeping each host properly patched, hosts should be
configured to follow the principle of least privilege—granting users
only the privileges necessary for performing their authorized tasks.
– Hosts should have
Certified auditing
Information enabled
Security and–should
Manager Domain 4log significant
30
security-related events.
 Detection and Analysis
Incident Prevention (2 of 2)
• Network Security.
– The network perimeter should be configured to deny all activity
that is not expressly permitted.
• This includes securing all connection points, such as virtual private
networks (VPNs) and dedicated connections to other organizations.
• Malware Prevention.
– Software to detect and stop malware should be deployed
throughout the organization.
• Malware protection should be deployed at the host level (e.g., server
and workstation operating systems), the application server level (e.g.,
email server, web proxies), and the application client level (e.g., email
clients, instant messaging clients).
• User Awareness and Training.
– Users should be made aware of policies and procedures regarding
appropriate use of networks, systems, and applications.
Certified Information Security Manager – Domain 4 31
 Detection and Analysis
Effective Incident Analysis
• Profile Networks and Systems.
• Understand Normal Behaviors.
• Create a Log Retention Policy.
• Perform Event Correlation.
• Keep All Host Clocks Synchronized.
• Maintain and Use a Knowledge Base of Information.
• Use Internet Search Engines for Research.
• Run Packet Sniffers to Collect Additional Data.
• Filter the Data.
• Seek Assistance from Others.

Certified Information Security Manager – Domain 4 32

 Detection and Analysis
Incident Documentation
• The current status of the incident
– (new, in progress, forwarded for investigation, resolved, etc.)
• A summary of the incident
• Indicators related to the incident
• Other incidents related to this incident
• Actions taken by all incident handlers on this incident
• Chain of custody, if applicable
• Impact assessments related to the incident
• Contact information for other involved parties (e.g., system
owners, system administrators)
• A list of evidence gathered during the incident investigation
• Comments from incident handlers
• Next steps to be taken (rebuild the host, upgrade an application)

Certified Information Security Manager – Domain 4 33

 Detection and Analysis
Incident Prioritization (1 of 2)
• Functional Impact of the Incident.
– Incident handlers should consider how the incident will
impact the existing functionality of the affected systems.
Incident handlers should consider not only the current
functional impact of the incident, but also the likely
future functional impact of the incident if it is not
immediately contained.
• Information Impact of the Incident.
– Incidents may affect the confidentiality, integrity, and
availability of the organization’s information.
– Incident handlers should consider how this information
exfiltration will impact the organization’s overall mission.
• An incident that results in the exfiltration of sensitive
information may also affect other organizations if any of the
data pertained to a partner organization.
Certified Information Security Manager – Domain 4 34
 Detection and Analysis
Incident Prioritization (2 of 2)
• Recoverability from the Incident.
– The size of the incident and the type of resources it affects
will determine the amount of time and resources that must
be spent on recovering from that incident.
– In some instances it is not possible to recover from an
incident (e.g., if the confidentiality of sensitive information
has been compromised) and it would not make sense to
spend limited resources on an elongated incident handling
cycle, unless that effort was directed at ensuring that a
similar incident did not occur in the future.
– In other cases, an incident may require far more resources
to handle than what an organization has available.
– Incident handlers should consider the effort necessary to
actually recover from an incident and carefully weigh that
against the value the recovery effort will create and any
requirements
Certifiedrelated to incident
Information handling.
Security Manager – Domain 4 35
 NIST Functional Impact Categories

Category Definition

None No effect to the organization’s ability to provide all services

to all users
Low Minimal effect; the organization can still provide all critical
services to all users but has lost efficiency
Medium Organization has lost the ability to provide a critical service
to a subset of system users
High Organization is no longer able to provide some critical
services to any users

Certified Information Security Manager – Domain 4 36

 NIST Information Impact Categories

Category Definition
None No information was exfiltrated, changed, deleted, or
otherwise compromised
Privacy Sensitive personally identifiable information (PII) of
Breach taxpayers, employees, beneficiaries, etc. was accessed or
exfiltrated
Proprietary Unclassified proprietary information, such as protected
Breach critical infrastructure information (PCII), was accessed or
exfiltrated
Integrity Sensitive or proprietary information was changed or
Loss deleted

Certified Information Security Manager – Domain 4 37

 NIST Recoverability Effort Categories

Category Definition

Regular Time to recovery is predictable with existing

resources
Supplemented Time to recovery is predictable with additional
resources
Extended Time to recovery is unpredictable; additional
resources and outside help are needed
Not Recoverable Recovery from the incident is not possible (e.g.,
sensitive data exfiltrated and posted publicly); launch
investigation

Certified Information Security Manager – Domain 4 38

 Detection and Analysis
Incident Notification
• CIO
• Head of information security
• Local information security officer
• Other incident response teams within the organization
• External incident response teams (if appropriate)
• System owner
• Human resources
– (for cases involving employees, such as email harassment)
• Public affairs (if appropriate)
• Legal department (for incidents with potential legal
ramifications)
• US-CERT (required for Federal agencies)
• Law enforcement (if appropriate)

Certified Information Security Manager – Domain 4 39

Containment, Eradication & Recovery

Certified Information Security Manager – Domain 4 40

 Containment, Eradication & Recovery
Choosing a Containment Strategy
• Potential damage to and theft of resources
• Need for evidence preservation
• Service availability
– (network connectivity, services provided to external parties)
• Time and resources needed to implement the
strategy
• Effectiveness of the strategy
– (partial containment, full containment)
• Duration of the solution
– (emergency workaround to be removed in four hours,
temporary workaround to be removed in two weeks,
permanent solution)

Certified Information Security Manager – Domain 4 41

 Containment, Eradication & Recovery
Evidence Gathering and Handling
• Detailed logs including:
– Identifying information (e.g., the location, serial
number, model number, hostname, media access
control (MAC) addresses, and IP addresses of a
computer)
– Name, title, and phone number of each individual
who collected or handled the evidence during the
investigation
– Time and date (including time zone) of each
occurrence of evidence handling
– Locations where the evidence was stored.

Certified Information Security Manager – Domain 4 42

 Containment, Eradication & Recovery
Identifying the Attacking Hosts (1 of 3)
• Validating the Attacking Host’s IP Address.
– New incident handlers often focus on the attacking host’s IP
address.
– The handler may attempt to validate that the address was not
spoofed by verifying connectivity to it; however, this simply
indicates that a host at that address does or does not
respond to the requests.
– A failure to respond does not mean the address is not real—
for example, a host may be configured to ignore pings and
traceroutes.
– Also, the attacker may have received a dynamic address that
has already been reassigned to someone else.

Certified Information Security Manager – Domain 4 43

 Containment, Eradication & Recovery
Identifying the Attacking Hosts (2 of 3)
• Researching the Attacking Host through Search
Engines.
– Performing an Internet search using the apparent source IP
address of an attack may lead to more information on the
attack—for example, a mailing list message regarding a
similar attack.
• Using Incident Databases.
– Several groups collect and consolidate incident data from
various organizations into incident databases.
– This information sharing may take place in many forms, such
as trackers and real-time blacklists.
– The organization can also check its own knowledge base or
issue tracking system for related activity.

Certified Information Security Manager – Domain 4 44

 Containment, Eradication & Recovery
Identifying the Attacking Hosts (3 of 3)
• Monitoring Possible Attacker Communication
Channels.
– Incident handlers can monitor communication channels that
may be used by an attacking host.
– For example, many bots use IRC as their primary means of
communication.
– Also, attackers may congregate on certain IRC channels to
brag about their compromises and share information.
– However, incident handlers should treat any such
information that they acquire only as a potential lead, not as
fact.

Certified Information Security Manager – Domain 4 45

 Containment, Eradication & Recovery
Eradication
• After an incident has been contained, eradication may
be necessary to eliminate components of the incident,
such as deleting malware and disabling breached
user accounts, as well as identifying and mitigating
all vulnerabilities that were exploited.
• During eradication, it is important to identify all
affected hosts within the organization so that they
can be remediated.
• For some incidents, eradication is either not
necessary or is performed during recovery.

Certified Information Security Manager – Domain 4 46

 Containment, Eradication & Recovery
Recovery (1 of 2)
• In recovery, administrators restore systems to normal
operation, confirm that the systems are functioning
normally, and (if applicable) remediate vulnerabilities
to prevent similar incidents.
– Recovery may involve such actions as restoring systems
from clean backups, rebuilding systems from scratch,
replacing compromised files with clean versions, installing
patches, changing passwords, and tightening network
perimeter security (e.g., firewall rulesets, boundary router
access control lists).
– Higher levels of system logging or network monitoring are
often part of the recovery process. Once a resource is
successfully attacked, it is often attacked again, or other
resources within the organization are attacked in a similar
manner.
Certified Information Security Manager – Domain 4 47
 Containment, Eradication & Recovery
Recovery (2 of 2)
• Eradication and recovery should be done in a phased
approach so that remediation steps are prioritized.
• For large-scale incidents, recovery may take months;
the intent of the early phases should be to increase
the overall security with relatively quick (days to
weeks) high value changes to prevent future
incidents.
• The later phases should focus on longer-term
changes (e.g., infrastructure changes) and ongoing
work to keep the enterprise as secure as possible.

Certified Information Security Manager – Domain 4 48

 Post-Incident Activity

Certified Information Security Manager – Domain 4 49

 Post Incident Activity
Lessons Learned
• Exactly what happened, and at what times?
• How well did staff & management perform in dealing with the incident?
– Were the documented procedures followed?
– Were they adequate?
• What information was needed sooner?
• Were any steps or actions taken that might have inhibited the
recovery?
• What would the staff and management do differently the next time a
similar incident occurs?
• How could information sharing with other organizations have been
improved?
• What corrective actions can prevent similar incidents in the future?
• What precursors or indicators should be watched for in the future to
detect similar incidents?
• What additional tools or resources are needed to detect, analyze, and
Certified Information Security Manager – Domain 4 50
mitigate future incidents?
 Post Incident Activity
Metrics
• Number of Incidents Handled
• Time Per Incident.
• Objective Assessment of Each Incident.
• Subjective Assessment of Each Incident.
• Evaluate Against:
– Incident response policies, plans, and procedures
– Tools and resources
– Team model and structure
– Incident handler training and education
– Incident documentation and reports

Certified Information Security Manager – Domain 4 51

 Post Incident Activity
Retention Strategies
• Prosecution.
– If it is possible that the attacker will be prosecuted,
evidence may need to be retained until all legal
actions have been completed.
• In some cases, this may take several years.
• Data Retention.
– Most organizations have data retention policies that
state how long certain types of data may be kept.
• For example, an organization may state that email
messages should be retained for only 180 days.
• Cost.
– Original hardware (e.g., hard drives, compromised
systems) that is stored as evidence, as well as hard
drives and removable media that are used to hold disk
Certified Information Security Manager – Domain 4 52
NIST Incident Response Checklist

Certified Information Security Manager – Domain 4 53

NIST Incident Response Coordination

Certified Information Security Manager – Domain 4 54

 Roles and Responsibilities (CMU ISO)
• Incident Response Coordinator
– ISO employee who is responsible for assembling all the data
pertinent to an incident, communicating with appropriate parties,
ensuring that the information is complete, and reporting on
incident status both during and after the investigation.
• Incident Response Handlers
– are employees of the ISO, other CMU staff, or outside contractors
who gather, preserve and analyze evidence so that an incident
can be brought to a conclusion.
• Insider Threats (defined by CERT)
– current or former employees, contractors, or business partners
who have access to an organization’s restricted data and may
use their access to threaten the confidentiality, integrity or
availability of an organization’s information or systems.
• This particular threat is defined because it requires special
organizational and technical amendments to the Incident Response
55
Certified Information Security Manager – Domain 4
Plan.
 Roles and Responsibilities (CMU ISO) 2
• Law Enforcement
– includes the CMU Police, federal, state and local law enforcement
agencies, and U.S. government agencies that present warrants or
subpoenas for the disclosure of information.
• Interactions with these groups will be coordinated with the Office of
General Counsel.
• CMU Office of General Counsel (OGC) is the liaison between the ISO
and outside Law Enforcement, and will provide counsel on the
extent and form of all disclosures to law enforcement and the public.
• Officers
– Officers are the staff designates for various regulatory
frameworks to which the University is required to comply.
• Users
– members of the CMU community or anyone accessing an
Information System, Institutional Data or CMU networks who may
be affected by an incident.
Certified Information Security Manager – Domain 4 56
Incident Management Resources and
Objectives

Domain 4:
Information Security Incident Management

Certified Information Security Manager – Domain 4 57

 Incident Management Resources

• IT Department
• Internal Audit
• Legal Department
• Physical Security
• Risk Management
• Insurance Department
• PR Department
• Sales and Marketing
• Senior Management
• Compliance Office
• Privacy Officer
Certified Information Security Manager – Domain 4 58
 Incident Response Plan (IRP)

• Policies, Standards and Procedures that support an

Incident Response Plan
– Alignment of activities with Incident Management Team (IMT)
– Set accurate expectations
– Provide guidance for operational needs
– Maintain consistency and reliability of services
– Clearly understand roles and responsibilities
– Set requirements for identified alternate personnel for all
important functions.

Certified Information Security Manager – Domain 4 59

 Incident Response Technology
Concepts
• Security principles
– CIA Triad, Authentication, Integrity, Access Control,
Privacy, Non-repudiation
• Security vulnerabilities/weaknesses
– Physical Security, Phishing, Protocol Design Flaws,
Malicious Code, Implementation Flaws, Configuration
weaknesses, User Errors
• The Internet
– Protocols, Configurations
• Operating Systems
– System Configuration, System Forensics, Log Files,
System Privileges
• Malicious Code
Certified Information Security Manager – Domain 4 60
• Programming Skills
 Incident Response Team Organization
• Central IRT
– Single IRT, typical in small organizations
• Distributed IRT
– Geographically dispersed and/or functionally distributed
• Coordinating IRT
– Central team to manage distributed IRTs
• Outsourced IRT
• Staff Composition Factors
– Type
– Mission
– Nature and range of service offered
– Constituency size and technology base
– Anticipated incident load
– Severity or complexity
Certified of incident
Information Security reports
Manager – Domain 4 61
– Funding
 Computer Security Incident Response
Teams (CSIRT) (CISA DHS)
• CSIRT - Computer Security Incident Response Team
• CSIRC - Computer Security Incident Response
Capability or Center
• CIRC - Computer Incident Response Capability or
Center
• CIRT - Computer Incident Response Team
• IHT - Incident Handling Team
• IRC - Incident Response Center or Incident Response
Capability
• IRT - Incident Response Team
• SERT - Security Emergency Response Team
• SIRT - Security Incident Response Team
Certified Information Security Manager – Domain 4 62
 DHS CSIRT Definition
• A CSIRT is a concrete organizational entity (i.e., one
or more staff) that is assigned the responsibility of
providing part of the incident management
capability for a particular organization.
• When a CSIRT exists in an organization, it is
generally the focal point for coordinating and
supporting incident response.
• By definition, a CSIRT must perform—at a
minimum—incident handling activities.
• This entails analyzing and resolving events and
incidents that are reported by end users or are
observed through proactive network and system
monitoring.
Certified Information Security Manager – Domain 4 63
 CSIRT Incident Handling Activities (1)
• determining the impact, scope, & nature of the event
or incident
• understanding the technical cause of the event or
incident
• identifying what else may have happened or other
potential threats resulting from the event or incident
• researching and recommending solutions and
workarounds
• coordinating and supporting the implementation of
the response strategies with other parts of the
enterprise or constituency,Constituency refers to the
group or individuals being supported and serviced by
the CSIRT.
Certified Information Security Manager – Domain 4 64
 CSIRT Incident Handling Activities (2)
• disseminating information on current risks, threats,
attacks, exploits, and corresponding mitigation
strategies through alerts, advisories, Web pages, and
other technical publications
• coordinating and collaborating with external parties
such as vendors, ISPs, other security groups and
CSIRTs, and law enforcement
• maintaining a repository of incident and vulnerability
data and activity related to the constituency that can
be used for correlation, trending, and developing
lessons learned to improve the security posture and
incident management processes of an organization
Source: https://www.us-cert.gov/bsi/articles/best-practices/incident-
management/defining-computer-security-incident-response-teams
Certified Information Security Manager – Domain 4 65
 Additional CSIRT Activities (1 of 2)
• recommend best practices regarding secure
configurations, defense-in-depth strategies for
protecting systems, networks, and critical data
and assets, and incident prevention
• perform or participate in vulnerability assessment
and handling, artifact analysis
• provide input into or participate in security audits
or assessments such as infrastructure reviews,
best practice reviews, vulnerability scanning, or
penetration testing

Certified Information Security Manager – Domain 4 66

 Additional CSIRT Activities (2 of 2)
• conduct public monitoring or technology watch
activities such as reviewing security web sites,
mailing list, or general news and vendor sites to
identify new or emerging technical developments,
intruder activities, future threats, legal and
legislative rulings, social or political threats, or
new defensive strategies
• support legal and law enforcement efforts
through the collection and analysis of forensics
evidence (provided that staff have the appropriate
expertise, training, and tools)
Source: https://www.us-cert.gov/bsi/articles/best-practices/incident-
management/defining-computer-security-incident-response-teams

Certified Information Security Manager – Domain 4 67

 CSIRT & Business Intelligence

• CSIRT can provide the information it collects on

the types of threats and attacks that currently
impact or could potentially threaten the
enterprise
• CSIRT can provide its expertise in general
intruder attacks and trends and corresponding
mitigation strategies
• CSIRT can provide its understanding of
infrastructure and policy weakness and strengths
based on performed incident postmortems
Source: https://www.us-cert.gov/bsi/articles/best-practices/incident-
management/defining-computer-security-incident-response-teams

Certified Information Security Manager – Domain 4 68

 CSIRT Required Processes

• notification and communication

• analysis, response, and resolution
• collaboration and coordination
• maintenance and tracking of records
• evaluation and quality assurance
• Plus
– Incident tracking and correlation
– Performing incident postmortems
– CSIRTS in Software Development Organizations

Source: https://www.us-cert.gov/bsi/articles/best-practices/incident-
management/defining-computer-security-incident-response-teams

Certified Information Security Manager – Domain 4 69

 Va Tech CIRT Org Chart

Certified Information Security Manager – Domain 4 70

 ISACA Incident Response Objectives

• Handle incidents when they occur so the

exposure can be contained or eradicated to
enable recovery within the recovery time
objectives (RTOs).
• Restore systems to normal operations
• Prevent previous incidents from recurring by
documenting and learning from past incidents.
• Deploy proactive countermeasures to prevent/
minimize the probability of incidents from taking
place.

Certified Information Security Manager – Domain 4 71

Incident Management Metrics and
Indicators

Domain 4:
Information Security Incident Management

Certified Information Security Manager – Domain 4 72

 Metrics

• Maximum Tolerable Downtime

– (MTD) is the time after which the process being
unavailable creates irreversible consequences
generally, exceeding the MTD results with severe
damage to the viability of the business.

• Maximum Tolerable Outage

– (MTO) is a common measure in both disaster recovery
and business continuity. It is the maximum amount of
time a system or resource can remain unavailable
before its loss starts to have an unacceptable impact on
the goals or the survival of an organization.

Certified Information Security Manager – Domain 4 73

 Key Recovery Targets

• Recovery time objective (RTO)

– maximum period that elapses from the onset of a
disaster until the resumption of service.
• Recovery point objective (RPO)
– maximum data loss from the onset of a disaster.
• Recovery capacity objective (RCapO)
– processing or storage capacity of an alternate process
or system, as compared to the primary process or
system.
• Recovery consistency objective (RCO)
– consistency and integrity of processing in a recovery
system, as compared to the primary processing system.

Certified Information Security Manager – Domain 4 74

 MTBF, MTTR, Availability, Reliability

• Mean Time Between Failures (MTBF) is the

estimated lifespan of a piece of equipment.
– MTBF = sum(start of downtime – start of uptime) / number of
failures
• Mean Time to Repair (MTTR) is the amount of
time expected to get a device repaired and back
into production.
– MTTR = (total downtime) / (number of breakdowns)
• Availability is the time a systems performs its
intended function.
– Availability = MTBF / (MTBF + MTTR)
• Reliability is a measure of the frequency of
system failures.

Certified Information Security Manager – Domain75

4 75
 Incident Management Metrics (ISACA)
• Total number of reported incidents
• Total number of detected incidents
• Number of days without incident
• Average incident response time relative to RTO
• Average time to resolve an incident
• Total number of incidents successfully resolved
• Incidents not resolved successfully
• Proactive and preventative measures taken
• Total # of employees receiving security training
• Total damages from incidents (reported & detected)
• Total savings from potential incident prevention
• Total labor responding to incidents
Certified Information Security Manager – Domain 4 76
• Detection and notification times
Incident Response Metrics (Gregory)
• Number of incidents of each incident severity and type
• Dwell time (time from start of incident to the time the
organization became
• aware of the incident)
• Time required to contain the incident
• Time required to resolve and close incidents
• Number of times incident response SLAs were not met
• Improvements identified and implemented based on table-top
exercises and lessons learned from actual incidents
• Number or percentage of employees receiving security
awareness training, as well as any correlation between this
and the number of incidents
• Number of records compromised
• Number of external people affected and notified
• Total cost required to resolve each incident
Certified Information Security Manager – Domain 4 77
 Samanage Metrics

1. Incident Response Time 9. Incidents by Type

2. First-Time Resolution 10. Incidents not
Rate Initiated via Self-
3. SLA Compliance Ratio Service
4. Cost per Ticket 11. Incidents With
5. Number of Active Associated Problems
Tickets 12. Escalated Incidents
6. Recategorized Incidents 13. Incidents Resolved
7. Reopen Rate Remotely
8. Incidents per 14. Incidents With No
Department Known Resolution
15. Ticket Volume
Certified Information Security Manager – Domain 4 78
 Incident Response Metrics

1. Detection success
2. Detection to decision
3. Decision speed
4. False positive rates
5. Time to mitigation/containment
Bonus Metric
• Security versus administrative tasks
– Cody Cornell, Swimlane

Certified Information Security Manager – Domain 4 79

Developing an Incident Response Plan

Domain 4:
Information Security Incident Management

Certified Information Security Manager – Domain 4 80

 3 Case Studies

1. Carnegie Mellon Information Security Office

– https://www.cmu.edu/iso/governance/procedures/docs/in
cidentresponseplan.pdf
2. State of Connecticut Incident Response Plan
Template
3. Virginia Tech Guide for Cyber Security Incident
Response
– https://security.vt.edu/content/dam/security_vt_edu/down
loads/incident_response.pdf

Certified Information Security Manager – Domain 4 81

NIST Incident Response Life Cycle

Certified Information Security Manager – Domain 4 82

Incident Response Lifecycle • CMU Computer
Security Incident
Response Plan

https://www.cmu.edu/iso/governance/procedures/docs/incidentresponseplan.pdf
Certified Information Security Manager – Domain 4 83
 CMU Incident Response Plan Intro

• Purpose
• Scope
• Maintenance
• Authority
• Relationship to other Policies
• Relationship to Other Groups at CMU

Certified Information Security Manager – Domain 4 84

 CMU IRP Definitions

• Event

• Incident

• Personally Identifiable Information (PII)

• Protected Health Information (PHI)

Certified Information Security Manager – Domain 4 85

 CMU IRP Roles & Responsibilities
• Incident Response Coordinator

• Incident Response Handlers

• Insider Threats

• Law Enforcement

• Office of General Counsel

• Officers

• Users
Certified Information Security Manager – Domain 4 86
CMU Incident Response Phases

Certified Information Security Manager – Domain 4 87

 CMU Guidelines for the Incident
Response Process
• Insider Threats

• Interactions with Law Enforcement

• Communications Plan

• Privacy

Certified Information Security Manager – Domain 4 88

 Documentation, Tracking, Reporting
• All incident response activities will be documented to include
artifacts obtained using methods consistent with chain of
custody and confidentiality requirements.
• Incidents will be prioritized and ranked according to their
potential to disclose restricted data.
– As an investigation progresses, that ranking may change,
resulting in a greater or lesser prioritization of ISO resources.
• Incidents will be reviewed post-mortem to assess whether the
investigational process was successful and effective.
– Subsequent adjustments may be made to methods and
procedures used by the ISO and by other participants to improve
the incident response process.
• Artifacts obtained during the course of an investigation may
be deleted after the conclusion of the investigation and post-
mortem analysis unless otherwise directed by OGC.
Certified Information Security Manager – Domain 4 89
 Viriginia Tech (VPI)

Certified Information Security Manager – Domain 4 90

 VPI Introduction
• Authority
• Purpose and Scope
• Audience
• Document Structure (next slide)
• Section 2 discusses the need for cyber incident
response capabilities, and outlines possible
cyber incident response team structures as well
as other groups within the organization that may
participate in cyber incident response handling.
• Section 3 provides guidelines for effective,
efficient, and consistent incident response
capabilities and reviews the cyber security
incident response elements.
Certified Information Security Manager – Domain 4 91
 VPI Document Structure
• Appendix A – VT Cyber Incident Response Teams Organizational Chart
• Appendix B – Communication Workflow for Sensitive Data Exposure
• Appendix C – CIRT Team, IT Council, Compliance Officers Directories
• Appendix D – Incident Handling Checklist
• Unix, Linux and Windows Forensics checklists
• Appendix E – Detection and Analysis Information Gathering Outline
• Appendix F – Communication Plan Worksheet
• Appendix G – Internal Audit Guidelines for unacceptable computer use
• Appendix H – University Policies and Standards
• Appendix I – Workflow Diagram for Incident Escalation
• Appendix J – Contact information for local police and FBI
• Appendix K – Generalized Cyber Incident Escalation and Workflow
Diagram
• Appendix L – Acronyms
• Appendix M –Certified
Step by Step Cyber
Information Incident
Security Response
Manager – Domain 4 92
 VPI Section 2 - Incident Examples
• An incident in which an attacker commands a
botnet to send high volumes of connection
requests to a web server, causing it to crash.
• An incident in which users are tricked into opening
a “quarterly report” sent via email that is actually
malware; running the tool has infected their
computers and established connections with an
external host.
• An incident where an attacker obtains sensitive
data and threatens that the details will be released
publicly if the organization does not pay a
designated sum of money.
• An incident where a user provides or exposes
sensitive information to others through peer-to- 93
Certified Information Security Manager – Domain 4
peer file sharing services.
 VPI Section 2 CSIRT Mission

1. Limit the impact of cyber incidents in a way that

safeguards the well-being of the University
community.
2. Protect the information technology infrastructure
of the University.
3. Protect sensitive University data from
disclosure, modification, and exfiltration.
4. Collect the information necessary to pursue
investigation(s) at the request of the proper
University authority.

Certified Information Security Manager – Domain 4 94

 VPI Section 2 CIRT Response Goals
• To protect the well-being of the University community.
• To protect the confidentiality, integrity, and availability of
University systems, networks and data.
• To help University personnel recover their business processes
after computer or network security incidents.
• To provide a consistent response strategy to system and
network threats that put Virginia Tech data and systems at risk.
• To develop and activate a communications plan including initial
reporting of the incident as well as ongoing communications as
necessary.
• To address cyber related legal issues.
• To coordinate efforts with external Computer Incident
Response Teams.
• To minimize the University’s reputational risk by notifying
appropriate University officials of cyber incidents that may
become high profile events and implementing timely and
95
appropriate Certified Information Security Manager – Domain 4
corrective actions.
 VPI Cyber Incident Response Plan
• Preparation:
– Maintaining and improving incident response capabilities
and preventing incidents by ensuring that systems,
networks, and applications are sufficiently secure.
• Identification:
– Confirming, characterizing, classifying, categorizing,
scoping, and prioritizing suspected incidents.
• Containment:
– Minimizing loss, theft of information, or service disruption.
• Eradication:
– Eliminating the threat.
• Recovery:
– Restoring computing services quickly and securely.
• Post-incident activities:
– Assessing response to better handle future incidents
through utilization of reports, “Lessons Learned,” and after-
actionCertified
activities, or mitigation
Information ofManager
Security exploited weaknesses
– Domain 4 to 96
prevent similar incidents from occurring in the future.
VPI Authority for Cyber Incident Response
• Vice President for Information Technology and Chief
Information Officer (CIO)
– empowered to respond to IT security incidents by BOV
Resolution “Information Technology Security and Authority”.
– http://www.bov.vt.edu/minutes/07-06-04minutes/attach_v_070604.pdf
• Information Technology Security Officer (ITSO)
– delegated authority by CIO to decide whether to activate CIRT,
notifies Incident Governance Team of decision
• VPI CIRT Governance Team
– a broad range of University stakeholders (see Appendix A).
• University Legal Counsel
– any law enforcement/legal actions, questions about information
disclosure, legal aspects of the investigation.

Certified Information Security Manager – Domain 4 97

VPI Authority for Cyber Incident Response
• University President
– personnel actions for staff
• Executive Vice President and Provost
– personnel actions for faculty
• University Internal Audit
– data integrity of critical University data, compliance
with University procedures and fraud investigations
• Division of Student Affairs/Student Conduct
– offenses by Virginia Tech students
• Virginia Tech Police Department
– criminal matters
• Data Trustees/Stewards
– sensitive or non-public data access and governance
(dataCertified
trustees and stewards
Information Security are listed
Manager in the 4“Standard
– Domain 98
for Administrative Data Management”
 VPI Cyber Incident Response
Governance Team
• Vice President for Information Technology & CIO
• Information Technology Security Officer
• University Legal Counsel
• University Internal Audit
• VT Police Department
• Data Trustees/Stewards
• University Relations

Certified Information Security Manager – Domain 4 99

VPI Sec. 3 Incident Response Processes

Certified Information Security Manager – Domain 4 100

VPI CIRT Incident Response
Classification Matrix

Certified Information Security Manager – Domain 4 101

 State of Connecticut Template

• Left as an exercise
• Document found on
resource page of
course web site

Certified Information Security Manager – Domain 4 102

Business Continuity and Disaster
Recovery Plans

Domain 4:
Information Security Incident Management
Additional References:
Dr. C.W. Perr
ISC2 CISSP CBK
Certified Information Security Manager – Domain 4 103
 Business Continuity Planning
• a “disaster” is:
– Trying to make red chili ribs in a crock pot
– He lost a laptop with the only copy of his thesis
– She lost her research and papers in the lab fire
– Payroll system failed the day before payday
– Asbestos released in a dorm renovation
– The death of a student
– The Northeast blackout
– Hurricane Katrina

Certified Information Security Manager – Domain 4 104

Relationship Betweem BCP and DRP

Ref: All-in-One CISM by Peter H. Gregory

Certified Information Security Manager – Domain 4 105

BCP and DRP Components

Certified Information Security Manager – Domain 4 106

Understand the Organization First

Certified Information Security Manager – Domain 4 107

 A BCP requires a BIA

• Before doing a Business Continuity Plan (BCP),

you must first develop a Business Impact
Analysis (BIA).

• Source: ISC2

Certified Information Security Manager – Domain 4 108

 Why are we doing a BCP?
(C.W. Perr, Ph.D.)
• A very important question to ask when first developing a
BCP is why it is being developed.
• This may seem silly and the answer may at first appear
obvious, but that is not always the case.
• You might think that the reason to have these plans is to
deal with an unexpected disaster and to get people back to
their tasks as quickly and as safely as possible, but the full
story is often a bit different. Why are most companies in
business?
• To make money and be profitable. If these are usually the
main goals of businesses, then any BCP needs to be
developed to help achieve and, more importantly, maintain
these goals.
• The main reason to develop these plans in the first place is
to reduce the risk of financial loss by improving the
company’s ability to recover and restore operations.
• This encompasses the goals of mitigating the effects of the
disaster.

Certified Information Security Manager – Domain 4 109

 BCP, BIA and DRP

• Many people combine a business continuity plan

(BCP) and a disaster recovery plan (DRP) as
though they are a single document. However,
they are different.
• Here are some key points:
– The BCP has a wide scope and helps an organization
continue to operate even if disaster occurs.
– The BIA is part of the BCP and identifies critical systems
and services.
– You then create DRPs to ensure you have
methods/procedures/processes to restore these critical
systems in the event of the disaster.
• Source: GetAheadGetCertified
Certified Information Security Manager – Domain 4 110
 Business Continuity Planning

• Disaster
– is an event, often unexpected, that seriously disrupts
your usual operations or processes and can have long
term impact on your normal way of life or that of your
organization.
• RTO [Recovery Time Objective]
– the point in time when you must have at least the critical
aspects of your business operational again.
• RPO [Recovery Point Objective]
– The last copy of your data that is out of harm’s way –
hopefully it is recently current.

Certified Information Security Manager – Domain 4 111

 Business Continuity Planning
is:
• a process to minimize the impact of a major
disruption to normal operations.
• a process to enable restoration of critical assets.
• a process to restore normalcy as soon as
possible after a crisis.
not just:
• recovery of information technology resources
– and it is the phase of crisis management that follows the
immediate actions taken to protect life and property and
contain the event.
– it begins when the situation has been stabilized.

Certified Information Security Manager – Domain 4 112

Business Continuity Planning

Certified Information Security Manager – Domain 4 113

 Business Continuity Planning

The Risk Matrix

PROBABILITY
LOW HIGH

LOW NORMAL
IGNORE
PROCEDURES
IMPACT
CHANGE
HIGH PLAN
SOMETHING

Certified Information Security Manager – Domain 4 114

 Business Continuity Planning

Network Operations Disruptions

Power
Hardware
BOMB
MISC
ENVIRON
DATA
SOFTWARE
CIVIL
TELECOMM
FLOOD
HURR
EARTH
TORNADO
LIGHTNING
HARDWARE
POWER
FIRE/EXPL

Source: Gartner Group and Comdisco

Certified Information Security Manager – Domain 4 115

Business Continuity Planning

Mt. St. Helens – May 1980 – new threats arise

Certified Information Security Manager – Domain 4 116

 Business Continuity Planning
High Level Look at a Recovery Effort

Lost Data

Vital Records Resume Move to Return

Restore Technology Capability Business Alternate Home
Notifications Site

Restore Communications
(If necessary)
Restore Business Functions Data Synchronization
Data Recovery Objective

Recovery Time Objective

© Lucent technologies

Certified Information Security Manager – Domain 4 117

 1. Project Initiation

• After the coffee and donuts have been fetched it

is time to get down to business.
– Solidify management support
– Select a business continuity coordinator (needs to have
direct access to management, and the ability to carry
out decisions)
– Bring all issues and threats to the table (representatives
from Business units, Senior management, IT
department, Security department, Communications
department, and the Legal department) –give a sense of
ownership here…

Certified Information Security Manager – Domain 4 118

 Project Initiation (continued)

• The people who develop the BCP should be the

ones to execute it.
• Work with management to develop goals.
• What should the plan address? (natural disaster,
terrorist attack, communication outage, etc?)
Continuity planning statement – the scope of the
business continuity plan, roles of team members, and
goals. [like a mission statement for everything else]

Most companies outline the scope of their BCP to encompass only the larger
threats. The smaller threats are then covered by independent departmental
contingency plans.

Certified Information Security Manager – Domain 4 119

The BCP Coordinators product

Certified Information Security Manager – Domain 4 120

 Project Plan Components

• Objective-to-task mapping
• Resource-to-task mapping
• Milestones
• Budget estimates
• Success factors
• Deadlines

Certified Information Security Manager – Domain 4 121

 Convince them of value…

• Documents potential loss for the threats involved

• Lip service equals false sense of security…bad
• Legal obligation to due diligence
• Business is the drive to deliver a product, and the
sense to anticipate disaster
• Management sets the goals and is responsible for
follow up

Certified Information Security Manager – Domain 4 122

 2. Business Impact Analysis
• How bad will this hurt and how long can we deal with
this level of pain?
• Business impact analysis answers this.
– Functional analysis: based on business, functions,
activities, and transactions.
– Threats are mapped based on:
• Maximum tolerable downtime
• Operational disruption and productivity
• Financial considerations
• Regulatory responsibilities
• Reputation

Certified Information Security Manager – Domain 4 123

Business Impact Analysis (continued)

• Data collection comes from asking the committee

what they think the threats are

Certified Information Security Manager – Domain 4 124

 Loss Criteria

Certified Information Security Manager – Domain 4 125

 Maximum Tolerable Downtime

• Maximum tolerable downtime (MTD) – the outage

time that can be endured by the company.

Certified Information Security Manager – Domain 4 126

 Dependency…

Certified Information Security Manager – Domain 4 127

 Dependency (continued)

Certified Information Security Manager – Domain 4 128

 Responsibilities (more)

Certified Information Security Manager – Domain 4 129

 The BIA gives us…

• a guide as to how we should protect ourselves from the

things that will cost us the most should they happen.
• Example:

Certified Information Security Manager – Domain 4 130

 Business Process Recovery

• Example – the Emperor wants to blow up a

planet…
– Validate that the DS is available
– How long to get to range of the planet?
– Provide with an estimate
– Validate the order
– Send receipt, and tracking info
– Send coordinates to flyer dudes
– Send command to destroy that planet

Certified Information Security Manager – Domain 4 131

BCP Team needs to know these steps…

Certified Information Security Manager – Domain 4 132

 4. Plan Design and Development

• Non-disaster: A disruption in service due to a

device malfunction or failure.

• Disaster: An event that causes the entire facility

to be unusable.

• Catastrophe: A major disruption which destroys

the facility.

Certified Information Security Manager – Domain 4 133

 Tertiary Sites Backups
Certified Information Security Manager – Domain 4 134
 More vocabulary

Certified Information Security Manager – Domain 4 135

 Don’t do this…

Certified Information Security Manager – Domain 4 136

 Reciprocal Agreement

Certified Information Security Manager – Domain 4 137

 Supply and technology recovery
• Granular level backup items:

Certified Information Security Manager – Domain 4 138

 Hardware backups

• Usually a plan of keeping machine images and

buying equipment as it is needed.

• Service level agreement needs to specify a

delivery time for the equipment.

Certified Information Security Manager – Domain 4 139

 Documentation
• Write down the plan…(seriously, this was a whole page in the
book…der)

Certified Information Security Manager – Domain 4 140

 Human resources

• Executive succession planning – deputies,

replacements, etc. Still has an effects…

• How are you going to get people to work a

backup site 250 miles away?

• Usually a skeleton team, so need to identify the

critical functions.

Certified Information Security Manager – Domain 4 141

 5. Implementation

• Data Backups
• Different types of media stored in different
locations
• Definitions and steps –
– 1) full backup – all data saved
– 2) differential process – saves the modified files since↓,
restore full, then differential
– 3) last full backup – last full backup
– 4) incremental process – back up all the files that have
changed since the last full backup

Certified Information Security Manager – Domain 4 142

Certified Information Security Manager – Domain 4 143
 More vocabulary

• Electronic vaulting – makes copies of files as they are modified

and periodically transmits them to an offsite backup site

• Disk shadowing – similar to data mirroring, provides fault

tolerance by duplicating hardware and maintaining more than one
copy

• Remote journaling – another method of transmitting data offsite,

but this usually only includes moving the journal or transaction
logs to the offsite facil- ity, not the actual files. These logs contain
the deltas (changes) that have taken place to the individual files. If
and when data are corrupted and need to be restored, the bank
can retrieve these logs, which are used to rebuild the lost data.

Certified Information Security Manager – Domain 4 144

Make sure you can restore…

Certified Information Security Manager – Domain 4 145

Tape Vaulting - the data are sent over a serial line to a backup tape
system at the offsite facility

So, basically using magic to the management…awesome diagram

Certified Information Security Manager – Domain 4 146

 Choose a backup facility
• Can the media be accessed in the necessary timeframe?
• Is the facility closed on weekends and holidays, and does it only
operate during specific hours of the day?
• Are the access control mechanisms tied to an alarm and/or the
police station?
• Does the facility have the capability to protect the media from a
variety of threats?
• What is the availability of a bonded transport service?
• Are there any geographical environmental hazards such as floods,
earthquakes, tornadoes, and so on?
• Is there a fire detection and suppression system?
• Does the facility provide temperature and humidity monitoring and
control?
• What type of physical, administrative, and logical access controls
are used?

Certified Information Security Manager – Domain 4 147

Certified Information Security Manager – Domain 4 148
Certified Information Security Manager – Domain 4 149
 Cyberinsurance?
• Not even kidding…Cyberinsurance is a new type of coverage that insures
losses caused by denial-of-service attacks, malware damages, hackers,
electronic theft, privacy-related lawsuits, and more.
• A company could also choose to purchase a business interruption
insurance policy.

Certified Information Security Manager – Domain 4 150

 Restoration Teams
• The restoration team should be responsible for getting the
alternate site into a working and functioning environment,
and the salvage team should be responsible for starting the
recovery of the original site.
• A role, or a team, needs to be created to carry out a damage
assessment once a disaster has taken place. The
assessment procedures should be properly documented
and include the following steps:
• Determine the cause of the disaster.
• Determine the potential for further damage.
• Identify the affected business functions and areas. Identify the
level of functionality for the critical resources.
• Identify the resources that must be replaced immediately.
• Estimate how long it will take to bring critical functions
back online.
• If it will take longer than the previously estimated MTD
values to restore operations, then a disaster should be
declared, and the BCP should be put into action.

Certified Information Security Manager – Domain 4 151

 What team to call? Reconstruction phase…

Different organizations have different criteria, because the business

drivers and critical functions will vary from organization to organization.
The criteria may comprise some or all of the following elements:

• Danger to human life

• Danger to state or national security
• Damage to facility
• Damage to critical systems
• Estimated value of downtime that will be experienced

Certified Information Security Manager – Domain 4 152

 Reconstruction Issues
The following lists a few of these issues:
• Ensuring the safety of employees
• Ensuring an adequate environment is provided (power,
facility infrastructure, water, HVAC)
• Ensuring that the necessary equipment and supplies are
present and in working order
• Ensuring proper communications and connectivity
methods are working
• Properly testing the new environment

Once the coordinator, management, and salvage team sign off

on the readiness of the facility, the salvage team should carry
out the following steps:
– Back up data from the alternate site and restore it within the new
facility.
– Carefully terminate contingency operations.
– Securely transport equipment and personnel to the new facility.

Certified Information Security Manager – Domain 4 153

Certified Information Security Manager – Domain 4 154
Certified Information Security Manager – Domain 4 155
 Goals
• To be useful, a goal must contain certain key information, such as the following:
• Responsibility
– Each individual involved with recovery and continuity should have their responsibilities spelled out in writing
to ensure a clear understanding in a chaotic situation. Each task should be assigned to the individual most
logically situated to handle it. These individuals must know what is expected of them, which is done through
training, drills, communication, and documentation. So, for example, instead of just running out of the building
screaming, an individual must know that he is responsible for shutting down the servers before he can run out
of the building screaming.
• Authority
– In times of crisis, it is important to know who is in charge. Teamwork is important in these situations, and
almost every team does much better with an established and trusted leader. Such leaders must know that they
are expected to step up to the plate in a time of crisis and understand what type of direction they should
provide to the rest of the employees. Clear- cut authority will aid in reducing confusion and increasing
cooperation.
• Priorities
– It is extremely important to know what is critical versus what is merely nice to have. Different departments
provide different functionality for an organization. The critical departments must be singled out from the
departments that provide functionality that the company can live without for a week or two. It is necessary to
know which department must come online first, which second, and so on. That way, the efforts are made in the
most useful, effective, and focused manner. Along with the priorities of departments, the priorities of systems,
information, and programs must be established. It may be necessary to ensure that the database is up and
running before working to bring the file server online. The general priorities must be set by the management
with the help of the different departments and IT staff.
• Implementation and testing
– It is great to write down very profound ideas and develop plans, but unless they are actually carried out and
tested, they may not add up to a hill of beans. Once a continuity plan is developed, it actually has to be put into
action. It needs to be documented and put in places that are easily accessible in times of crisis. The people
who are assigned Certified Information
specific tasks Security
need to be taught Manager
and informed how–toDomain 156
4 tasks, and dry runs must
fulfill those
be done to walk people through different situations. The drills should take place at least once a year, and the
entire program should be continually updated and improved.
Certified Information Security Manager – Domain 4 157
 6. Testing

Certified Information Security Manager – Domain 4 158

 Testing Factoids -
• Should be performed annually
• Exercises vs. test. Test pass/fail. Exercises to learn.
• Prepare personnel for what they might face.
• The team of testers must agree upon what exactly is
getting tested and how to properly determine success
or failure. The team must agree upon the timing and
duration of the exercise, who will participate in the
exercise, who will receive which assignments, and
what steps should be taken. Also, the team needs to
determine whether hardware, software, personnel,
procedures, and communications lines are going to
be tested, and whether it is some, all, or a subset
combination.
– Choose a subset to train a small sub-group at first, and
then when everyone is ready take the time of the whole
group.

Certified Information Security Manager – Domain 4 159

 Types of tests

Certified Information Security Manager – Domain 4 160

Types of tests (continued)

Certified Information Security Manager – Domain 4 161

 The mother of all tests…

Certified Information Security Manager – Domain 4 162

Certified Information Security Manager – Domain 4 163
 7. Maintain the Plan!
• The main reasons plans become outdated include the following:
– The business continuity process is not integrated into the change
management process.
– Infrastructure and environment changes occur.
– Reorganization of the company, layoffs, or mergers occur.
– Changes in hardware, software, and applications occur.
– After the plan is constructed, people feel their job is done.
– Personnel turns over.
– Large plans take a lot of work to maintain.
– Plans do not have a direct line to profitability.

• Organizations can keep the plan updated by taking the following

actions:
– Make business continuity a part of every business decision.
– Insert the maintenance responsibilities into job descriptions.
– Include maintenance in personnel evaluations.
– Perform internal audits that include disaster recovery and continuity
documentation and procedures.
– PerformCertified
regularInformation Security
drills that use Manager – Domain 4
the plan. 164
– Integrate the BCP into the current change management process.
Certified Information Security Manager – Domain 4 165
Certified Information Security Manager – Domain 4 166
Quick Tips
• A business continuity plan (BCP) contains strategy documents that provide detailed procedures that ensure critical business functions are maintained and that help minimize losses of life,
operations, and systems.
• A BCP provides procedures for emergency responses, extended backup operations, and post-disaster recovery.
• A BCP should reach enterprisewide, with individual organizational units each having their own detailed continuity and contingency plans.
• A BCP needs to prioritize critical applications and provide a sequence for efficient recovery.
• A BCP requires senior executive management support for initiating the plan and final approval.
• BCPs can quickly become outdated due to personnel turnover, reorganizations, and undocumented changes.
• Executives may be held liable if proper BCPs are not developed and used.
• Threats can be natural, manmade, or technical.
• The steps of recovery planning include initiating the project; performing business impact analyses; developing a recovery strategy; developing a recovery plan; and implementing, testing,
and maintaining the plan.
• The project initiation phase involves getting management support, developing the scope of the plan, and securing funding and resources.
• The business impact analysis is one of the most important first steps in the planning development. Qualitative and quantitative data needs to be gathered, analyzed, interpreted, and
presented to management.
• Executive commitment and support are the most critical elements in developing the BCP.
• A business case must be presented to gain executive support. This is done by explaining regulatory and legal requirements, exposing vulnerabilities, and providing solutions
• Plans should be prepared by the people who will actually carry them out.
• The planning group should comprise representatives from all departments or organizational units.
• The BCP team should identify the individuals who will interact with external entities such as the press, shareholders, customers, and civic officials. Response to the disaster should be done
quickly and honestly, and should be consistent with any other employee response.
• Disaster recovery and continuity planning should be brought into normal business decision-making procedures.
• The loss criteria for disasters include much more than direct dollar loss. They may include added operational costs, loss in reputation and public confidence, loss of competitive advantage,
violation of regulatory or legal requirements, loss in productivity, delayed income, interest costs, and loss in revenue.
• A survey should be developed and given to the most knowledgeable people within the company to obtain the most realistic information pertaining to a company’s risk and recovery
procedures.
• The plan’s scope can be determined by geographical, organizational, or functional means.
• Many things need to be understood pertaining to the working environment so it can be replicated at an alternate site after a disaster.
• Subscription services can supply hot, warm, or cold sites.
• A reciprocal agreement is one in which a company promises another company it can move in and share space if it experiences a disaster and vice versa. Reciprocal agreements are very
tricky to implement and are unenforceable. However, they are cheap and sometimes the only choice.
• A hot site is fully configured with hardware, software, and environmental needs. It can usually be up and running in a matter of hours. It is the most expensive option, but some companies
cannot be out of business longer than a day without detrimental results.
• A warm site does not have computers, but it does have some peripheral devices such as disk drives, controllers, and tape drives. This option is less expensive than a hot site, but takes
more effort and time to get operational.
• A cold site is just a building with power, raised floors, and utilities. No devices are available. This is the cheapest of the three options, but can take weeks to get up and operational.
• When returning to the original site, the least critical organizational units should go back first.
• An important part of the disaster recovery and continuity plan is to communicate its requirements and procedures to all employees.
• Testing, drills, and exercises demonstrate the actual ability to recover and can verify the compatibility of backup facilities.
• Before tests are performed, there should be a clear indication of what is being tested, how success will be determined, and how mistakes should be expected and dealt with.
• A checklist test is one in which copies of the plan are handed out to each functional area to ensure the plan properly deals with the area’s needs and vulnerabilities.
• A structured walk-through test is one in which representatives from each functional area or department get together and walk through the plan from beginning to end.
• A simulation test is one in which a practice execution of the plan takes place. A specific scenario is established, and the simulation continues up to the point of actual relocation to the
alternate site.
• A parallel test is one in which some systems are actually run at the alternate site.
• A full-interruption test is one in which regular operations are stopped and where processing is moved to the alternate site.
• Remote journaling involves transmitting the journal or transaction log offsite to a backup facility.

Certified Information Security Manager – Domain 4 167

 Criticality Analysis (CA)
• Performed after Business Impact Analysis
– Identifyfies those business processes that are most
important and how quickly they need to be recovered
during and after any disaster scenario.

Certified Information Security Manager – Domain 4 168

 Contingency Plans

l Develop contingency plan – procedures and

guidelines for how the organization can still stay
functional in a crippled state
l Discuss current contingency plan with necessary
parties
l Explain contingency plan
l Monitor contingency plan training
l Propose contingency plan
l Summarize contingency plan

Certified Information Security Manager – Domain 4 169

 Contingency Plans
l Direct implementation of contingency plan
- Object-to-task mapping
- Resource-to-task mapping
- Milestones
- Budget estimates
- Success factors
- Deadlines
l Direct operation of contingency plan
l Influence management on importance of having
properly trained SA/staff to perform contingency plan
on mission critical systems
l Test contingency plan – highlights deficiencies in the
plan
Certified Information Security Manager – Domain 4 170
 Contingency Plans

l Verify current contingency plan is available and

accuracy
l Verify that necessary parties understand contingency
plan and where it is maintained, parties include:
- Business units
- Senior management
- IT department
- Security department
- Communications department
- Legal department
l Write contingency plan

Certified Information Security Manager – Domain 4 171

Executing Response and Recovery
Plans
Post-incident Activities and
Investigation
Domain 4:
Information Security Incident Management

Certified Information Security Manager – Domain 4 172

Connecticut Eradication and Recovery
• Eradication actions for specific incident type
• Follow change management procedures
• Perform recovery procedures
• System verification
• Remove malicious code/virus
• Assess the impact on operating systems
• Harden the operating systems
• Remove dormant user ID’s
• Tighten access rights
• Shut down and restart systems/services for DoS
• Software/Hardware configuration changes
• Restoration from previous backup
• Re-installation.

Certified Information Security Manager – Domain 4 173

 Connecticut Resume Operation

• Once eradication and recovery have been

completed successfully, normal operations can
resume.
• Appropriate agency and interagency
communication will occur at this time.

Certified Information Security Manager – Domain 4 174

 Connecticut Post Incident Review
• The IT security Division focuses on analyzing patterns
of activity across the enterprise.
– They support comprehensive tracking, recording, and
dissemination of information to the enterprise.
– By consolidating the information collected, the team is better
able to identify similar attacks, artifacts, exploits, trends and
patterns.
– Potential new threats to the enterprise can also be identified.
– Your Agency will focus on patterns of activity within the LAN
and agency applications.
– In this model, it is important that the team have expertise or
familiarity with all platforms and operating systems used in
the organization.
– If this does not exist within the centralized team component,
then there must be mechanisms in place to collaborate with
the distributed team
Certified members
Information or other
Security organizational
Manager – Domain 4 experts 175
who can provide the required knowledge.
 Connecticut Post Incident Activities
• Based on the results of the analysis of any vulnerability or
artifact information, the IT security Division coordinates the
release of remediation, detection, and recovery steps
throughout the enterprise as required.
• Post Incident Activity – The IMT and response team(s) will
attend a debriefing meeting and an After Action Report
(AAR) of the incident from start to conclusion is developed
which will include an improvement plan.
• Documentation of any permanent changes to systems as a
result of the incident are generated. Incident data collected
is analyzed to determine such things as the cost of the
incident in money, time, etc. Evidence retention policies
and procedures are implemented.

Certified Information Security Manager – Domain 4 176

 Connecticut Follow Up

• Specific follow up activities include:

– Monitor affected systems

– Update incident log
– Perform post-mortem
– Incident documentation
– Media-Handling
– Update incident response procedures

Certified Information Security Manager – Domain 4 177

 Reconstitution
l Discuss current reconstitution plan with necessary
parties to ensure they understand their respective
reconstitution roles and responsibilities
l Explain reconstitution plan – plan for handling the
situation when an organization moves to a new site or
returns to the original site
l Explain restoration – placing information onto the new
site through the use of proper protection, detection,
and reaction capabilities defined in the plan
l Monitor reconstitution plan training
l Monitor restoration/reconstitution
l Summarize restoration/reconstitution plan

Certified Information Security Manager – Domain 4 178

 Reconstitution
l Verify that necessary parties understand
restoration/reconstitution plans and where they are
maintained
l Develop restoration/reconstitution plan
- Ensuring adequate environment and necessary
equipment and supplies are present and functional
- Proper communications, connectivity and testing
procedures
- Backup data from alternate site to new site
l Direct implementation of reconstitution plan – facility
restoration, environment testing, and moving of operations
l Direct operation of reconstitution plan
l Implement and maintain recovery procedures
l Implement recovery procedures

Certified Information Security Manager – Domain 4 179

 Reconstitution
l Implement testing and assessment
- Checklist test – has anything been forgotten?
- Structured walk-through test – all parties meet and
talk through scenarios step by step
- Simulation test – drills are done to practice
executing disaster recovery plans
- Parallel test – ensures that specific systems can
run at the alternate offsite facility
- Full-Interruption test – original site is shutdown and
offsite is used
l Implement training
l Influence management on importance of having properly
trained SA/staff to perform reconstitution plan on mission
critical systems
l Propose reconstitution plan
Certified Information Security Manager – Domain 4 180
 Reconstitution

l Test/exercise restoration/reconstitution plan

l Verify current restoration/reconstitution plan is
available and accurate
l Write restoration/reconstitution plan
l Evaluate test/execution of reconstitution plan

Certified Information Security Manager – Domain 4 181

 Recovery
l Address recovery procedures with SA/staff
l Develop recovery plan
- Business process recovery
- Facility recovery
- Supply and technology recovery
- User environment recovery
- Data recovery
l Direct SA/staff to use recovery plan during recovery
l Discuss current recovery plan with necessary parties
l Explain recovery plan
l Monitor recovery plan training

Certified Information Security Manager – Domain 4 182

 Recovery
l Summarize recovery plan
l Verify that necessary parties understand recovery plan and
where it is maintained
l Direct implementation of recovery plan
l Direct operation of recovery plan
- Move to alternate site
- Restore processes
- Recovery procedures
l Influence management on importance of having properly
trained SA/staff to perform recovery plan on mission critical
systems
l Propose recovery plan

Certified Information Security Manager – Domain 4 183

 Recovery
l Test recovery plan
l Verify current recovery plan is available and
accurate
l Verify SA understands rules for restoring files
l Write recovery plan
- Required roles
- Required resources
- Input and output mechanisms
- Workflow steps
- Required time for completion
- Interfaces with other processes

Certified Information Security Manager – Domain 4 184

 Incident Response Lifecycle and
Business Integration

Source: https://www.isaca.org/Journal/archives/2015/volume-6/
Pages/a-business-integrated-approach-to-incident-response.aspx

Certified Information Security Manager – Domain 4 185

 Communications Grid

Source: https://www.isaca.org/Journal/archives/2015/volume-6/
Certified Information Security Manager – Domain 4 186
Pages/a-business-integrated-approach-to-incident-response.aspx
MIL-STD-882E System Safety

Certified Information Security Manager – Domain 4 187

MIL-STD-882E Risk Assessment

Certified Information Security Manager – Domain 4 188

NIST Incident Response Life Cycle

Certified Information Security Manager – Domain 4 189

Certified Information System Management

• The management-focused CISM is the globally

accepted standard for individuals who design,
build and manage enterprise information security
programs. CISM is the leading credential for
information security managers.
• The recent quarterly IT Skills and Certifications
Pay Index (ITSCPI) from Foote Partners ranked
CISM among the most sought-after and highest-
paying IT certifications.
• DoD 8140 compliant
• DoD 8570 Level III IAM

Certified Information Security Manager – Domain 4 190

 J. A. “Drew” Hamilton, Jr., Ph.D.
Chair, NSA Cyber Operations Community of Practice
Director, Center for Cyber Innovation
Professor, Computer Science & Engineering
This work funded by NSA Contract #H98230-19-1-0291

CCI Voice: (662) 325-2294

2 Research Blvd. Fax: (662) 325-7692
Starkville, MS 39759 [email protected]

Certified Information Security Manager – Domain 4 191