CISM - Firebrand Training · 5/6/2016 © 2016 Firebrand Ensure that the CISM candidate… Establish...

5/6/2016© 2016 Firebrand

CISM™

Certified Information

Security Manager

Firebrand Custom Designed Courseware

5/6/2016© 2016 Firebrand

Chapter 4Information Security Incident

Management

5/6/2016© 2016 Firebrand

Ensure that the CISM candidate…

Establish an effective program to respond to and subsequently manage incidents that threaten an organization’s information systems and infrastructure

The content area in this chapter will represent approximately 18% of the CISM examination

(approximately 36 questions).

Exam Relevance

ISACA CISM Review Manual Page 220

5/6/2016© 2016 Firebrand

Chapter 4

Learning Objectives

Develop and implement processes for:

• Detecting

• Identifying

• Analyzing

• Responding

To information security incidents


5/6/2016© 2016 Firebrand

Learning Objectives cont.

Incident Management process

• Establish a severity hierarchy for identification and response to security incidents

• Maintain an incident response plan

• Establish processes toidentify and investigate incidents

• Establish escalation and communications plans

• Develop a skilled team


5/6/2016© 2016 Firebrand

Learning Objectives cont.

Test and refine information security incident response plans

Manage incident response

Conduct post-incident reviews of security incidents to determine root cause, develop corrective actions and reassess risk

Integrate incident response plans with business continuity plans (BCP) and disaster recovery plans (DRP)


5/6/2016© 2016 Firebrand

Definition

• Any event that has the potential to adversely impact the ability of the business to meet its objectives

Incident

• The capability to effectively manage unexpected disruptive events

• Minimize impacts

• Maintain and restore normal business operations within defined time limits

Incident management


5/6/2016© 2016 Firebrand

Definition

Incident response

• The operational capability of incident management that identifies, prepares for and responds to incidents

• Provide forensic and investigative capabilities

• Restore normal operations as defined in service level agreements (SLAs)

• Manage the impact of unexpected disruptive events to acceptable levels


5/6/2016© 2016 Firebrand

Definition

Incident Management will ensure that incidents are detected, recorded and

managed to limit impacts.


5/6/2016© 2016 Firebrand

Goals of Incident Management and

Response

The goals of incident management and response include:

• The ability to deal effectively with unanticipated events

• Detection and monitoring capabilities to alert staff to a potential incident

• Effective notification and reporting to management

• A response plan that is aligned with business priorities


5/6/2016© 2016 Firebrand

Goals of

Incident Response cont.

The ability to learn from past incidents and prevent future problems

Regular testing and validation of the effectiveness of the plan


5/6/2016© 2016 Firebrand

What is an

Incident - Intentional

Malicious code

Unauthorized access to IT systems, facilities, information

Unauthorized use of resources

Unauthorized changes to systems, networks

Denial of service (DOS)

Surveillance, espionage

Social Engineering

Fraud


5/6/2016© 2016 Firebrand

What is an

Incident - Unintentional

Equipment failure

Utility failure (power)

Software bugs

Deletion of files

Weather-related issues


5/6/2016© 2016 Firebrand

Incident Response Team Members

5/6/2016© 2016 Firebrand

Personnel

An Incident Response Team usually consists of

•The Incident Manager (often an Information Security Manager)

•The Team Leader

•Steering committee/advisory board

•Provide oversight and authority


5/6/2016© 2016 Firebrand

Personnel cont.

• Permanent/dedicated team members

• Specialized skills – forensics, audit, communications, legal

• Representation from key departments – Operations, IT, HR, Finance, Security, Executive, etc.

• Virtual/temporary team members

• External experts

An Incident Response

Team usually consists

of


5/6/2016© 2016 Firebrand

Personnel cont.

The composition of the incident response team will depend on a number of factors such as

• Mission and goals of the incident response program

• Nature and range of services provided

• Available staff expertise

• Scope and technology base

• Anticipated incident load

• Severity or complexity of incident reports

• Funding

• Regulations and legal considerations


5/6/2016© 2016 Firebrand

Team Member Skills

The set of basic skills that incident response team members need can be separated into two

broad groups:

• Personal skills

• Ability to handle stress

• Leadership skills

• Expertise based on the incident handler’s daily activity.

• Technical skills

• Specialized skills in IT, communications, etc


5/6/2016© 2016 Firebrand

Skills cont.

Personal skills

• Communication

• Presentation skills

• Ability to follow policies and procedures

• Team skills

• Integrity

• Confidence

• Problem solving

• Time management


5/6/2016© 2016 Firebrand

Skills cont.

• Basic understanding of the underlying technologies used by the organization

• Understanding of the techniques, decision points and supporting tools required in incident management

Technical skills


5/6/2016© 2016 Firebrand

Security Concepts

and Technologies

• Security principles

• Security vulnerabilities/ weaknesses

• The Internet

• Network protocols

The following security concepts and technologies should be considered and known to IRTs

• Network applications and services

• Network security issues

• Operating systems

• Malicious code

• Programming skills


5/6/2016© 2016 Firebrand

Organizing, Training and Equipping the

Response Staff

Every incident response team member should get the following types of training:

• Induction to Incident response - basic information about the team and its operations

• Description of the team’s roles, responsibilities and procedures

• On the job training

• Formal training


5/6/2016© 2016 Firebrand

Review and Audit of Incident Response


5/6/2016© 2016 Firebrand

Value Delivery

To deliver value, incident management should:

• Integrate and align with business processes and structures

• Improve the capability of businesses to manage incidents effectively

• Integrate incident management with risk and business continuity

• Become part of an organization’s overall strategy and effort to protect and secure critical business function and assets

ISACA CISM Review Manual 1

5/6/2016© 2016 Firebrand

Performance Measurement

Performance measurements for incident management and response will focus on achieving the defined objectives and optimizing effectiveness

• Incident response time

• Application of lessons learned

KPIs and KGIs should be defined and agreed upon by stakeholders and ratified by senior management


5/6/2016© 2016 Firebrand

Reviewing the Current State of Incident

Response Capability

Survey of senior management, business managers and IT representatives

Self-assessment

External assessment or audit


5/6/2016© 2016 Firebrand

Audits

Audits (internal and external) must be

performed to verify

• Incidents have been resolved and closed off

• Lessons learned applied to the organization

• Adherence by the incident response team to the policies and procedures defined by the organization


5/6/2016© 2016 Firebrand

History of Incidents

Past incidents provide valuable information on risk trends, threat types and business impact due to an incident

•Can be used to evaluate the existing plans

•Used as input to know the types of incidents that must be considered and planned for


5/6/2016© 2016 Firebrand

Gap Analysis – Basis for

an Incident Response Plan

Gap analysis – compares current incident response capabilities with

the desired level.

• Processes that need to be improved to be more efficient and effective

• Resources needed to achieve the objectives for the incident response capability

The following may be

identified:


5/6/2016© 2016 Firebrand

Preparing the Incident Response Plan

5/6/2016© 2016 Firebrand

Incident Management and Response

• Incident Response Planning

• Business Continuity Planning

• Disaster Recovery Planning

• Recovery of IT systems

The incident management and response

structure should

include:

5/6/2016© 2016 Firebrand

Incident Management

and Response cont.

Plans must be

•Clearly documented

•Readily accessible

•Based on the long range IT plan

•Consistent with the overall business continuity and security strategies

5/6/2016© 2016 Firebrand

Incident Management

and Response cont.

Incident Response planning includes

• Incident detection capabilities (ability to recognize an event (false positive vs. real event)

• Clearly defined severity criteria (catastrophic, major, minor)

• Assessment and triage capabilities (determine extent of incident)

• Declaration criteria (activation of response teams)

5/6/2016© 2016 Firebrand

Importance of Incident Management and

Response

Incident response is required since even minor incidents may:

•Affect business viability

•Develop into major incidents

•Require public communications plans

•Necessitate advising regulators, clients or other affected stakeholders

Even the best controls cannot prevent all incidents


5/6/2016© 2016 Firebrand

Incident Response Functions

Detection and reporting

• Alerting, escalation

Triage

• Containment, recovery

Analysis

• Root cause, lessons learned

Incident response team skills

• Necessary training and experience


5/6/2016© 2016 Firebrand

Incident

Management Technologies

• Monitor and consolidate inputs from multiple systems

• Identify incidents or potential incidents

• Prioritize incidents based on business impact

• Provide status tracking and notifications

• Integrate with major IT management systems

• Follow good practices guidelines

An effective incident

management system should


5/6/2016© 2016 Firebrand

Responsibilities of the CISM

Developing the information security incident management and response plans

Handling and coordinating information security incident response activities

Validating, verifying and reporting on the effectiveness of protective controls and countermeasure solutions

Planning, budgeting and program development for all matters related to information security incident management and response


5/6/2016© 2016 Firebrand

Incident Response Responsibilities

The responsibilities of the incident response include:

• Managing the incident so that the impact is contained and minimal damage occurs

• Notifying the appropriate people and escalating the incident to management when required

• Recovering quickly and efficiently from security incidents

• Balancing operational and security needs


5/6/2016© 2016 Firebrand

Incident Response Responsibilities cont.

The responsibilities of incident

response include:

• Responding systematically and decreasing the likelihood of cascading problems or incident recurrence

• Dealing with legal and law enforcement-related issues

• Ensuring that the incident response is documented

• Following up on lessons learned to enhance controls


5/6/2016© 2016 Firebrand

Requirements for Incident Response

Managers

Have the leadership skills necessary to manage crisis teams

Understand business priorities and culture

Have the experience, knowledge, and the authority to invoke the disaster recovery processes necessary to maintain or recover operational status


5/6/2016© 2016 Firebrand

Senior Management Involvement

Senior management provides strategic direction during the crisis

•Reporting of the incident is escalated to senior management

•Decisions and direction are passed down to the incident management teams


5/6/2016© 2016 Firebrand

The Desired State

Incident management and response requires

• Well-developed monitoring capabilities for key controls

• Personnel trained in assessing the situation, capable of providing triage, and managing effective responses

• Managers that have made provisions to capture all relevant information and apply previously learned lessons


5/6/2016© 2016 Firebrand

Strategic Alignment of Incident

Response

• Scope – what incidents are the responsibility of the Incident response team

• Services – services should be clearly defined

• Organizational structure – Reporting and oversight

• Resources – sufficient staffing and skills necessary for effective response

• Funding – sufficient funding as required to manage incident response

• Management buy-in – Senior management buy-in is essential

Incident management

must be aligned with

the organization’s strategic plan


5/6/2016© 2016 Firebrand

Creating a Detailed Incident Response Plan

5/6/2016© 2016 Firebrand

Detailed Plan of Action for Incident

Management

The incident management action plan outlined in the CMU/SEI technical report

titled Defining Incident Management Processes:

• Prepare/improve/sustain (prepare)

• Protect infrastructure (protect)

• Detect events (detect)

• Triage events (triage)

• Respond


5/6/2016© 2016 Firebrand


Management - Prepare

Prepare/improve/sustain (prepare)phase:

• Coordinate planning and design.

• Identify incident management requirements.

• Establish vision and mission.

• Obtain funding and sponsorship.

• Develop implementation plan.

• Coordinate implementation.


5/6/2016© 2016 Firebrand


Management – Prepare cont.

Prepare/improve/sustain (prepare) phase

• Develop policies, processes and plans.

• Establish incident handling criteria.

• Implement defined resources.

• Evaluate incident management capability.

• Conduct postmortem review.

• Determine incident management process changes.

• Implement incident management process changes.


5/6/2016© 2016 Firebrand


Management - Protect

Protect infrastructure (protect) phase

• Implement changes to computing infrastructure to mitigate ongoing or potential incident.

• Implement infrastructure protection improvements from postmortem reviews or other process improvement mechanisms.

•Evaluate computing infrastructure by performing proactive security assessments and evaluations.

•Provide input to detect processes on incidents/potential incidents.


5/6/2016© 2016 Firebrand


Management - Detect

• Proactive detection—The detection process is conducted prior to incident alert. This will enable the response team to detect attack precursors, false negatives and emerging threats.

• Reactive detection—The detection process is conducted when there are reports of possible incidents from system users or other organizations

Detect events

(detect) phase


5/6/2016© 2016 Firebrand


Management - Triage

Triage

Requires initial gathering of incident data, incident severity determination, notification and activation of incident response team

• Can be done on two levels

• Tactical - Based on a set of criteria

• Strategic - Based on the impact of business


5/6/2016© 2016 Firebrand

Detailed Plan of Action for Incident Management

- Response

Response

• Technical response

• Collecting data for further analysis

• Analyzing incident supporting information such as log files

• Technical mitigation strategies and recovery options

• Development and deployment of workarounds

• Management response

• Legal response


5/6/2016© 2016 Firebrand

Elements of an Incident Response Plan

Another approach to the development of an incident response plan

•Preparation

• Identification

•Containment

•Eradication

•Recovery

•Lessons learned


5/6/2016© 2016 Firebrand

Crisis Communications

• Internal

• Staff, management, business units

• External

• Business partners

• Shareholders

• General public

• Government and regulatory bodies

• Law Enforcement

One of the greatest

challenges in a crisis is

effective communications


5/6/2016© 2016 Firebrand

Challenges in Developing an Incident

Management Plan

Unanticipated challenges may be the result of

• Lack of management buy-in and organizational consensus

• Mismatch to organizational goals and priorities

• Incident management team member turnover

• Poor communications

• Complex and wide plan


5/6/2016© 2016 Firebrand

Responding to an Incident

5/6/2016© 2016 Firebrand

When an Incident Occurs

If an incident occurs:

• The Incident response team should follow the procedures set out in the Incident response plan

• Properly document (record and preserve) all information related to the incident

• Follow data/evidence preservation procedures

• Take precautions to avoid changing, altering or contaminating any potential or actual evidence


5/6/2016© 2016 Firebrand

During an Incident

• Retrieving information needed to confirm an incident

• False positive or real event

• Notify incident manager and activate incident response teams

The initial

response to an

incident should

include:


5/6/2016© 2016 Firebrand

During an Incident cont.

Identifying the scope and size of the affected environment (e.g., networks, systems, applications)

• Contain the incident and minimize the potential for further damage

Determining the degree of loss, modification or damage (if any)

Identifying the possible path or means of attack

Restore critical services


5/6/2016© 2016 Firebrand

Containment Strategies

• Network isolation and segmentation

• Fire doors and fire suppression

• Fail secure

• Multiple suppliers

• Multiple facilities

• Cross trained staff

During an incident it is

critically important to contain the crisis and

attempt to minimize the

amount of damage that

occurs.


5/6/2016© 2016 Firebrand

The Battle Box

Preloaded kits containing the tools and support materials needed by the response team in a crisis

•Flashlights

•Communications (radio, satellite phones)

•Battery

•Forms and documentation, pens

•Tools

•Protective clothing

•First aid kits

•Evidence collection bags

5/6/2016© 2016 Firebrand

Evidence Identification and

Preservation

• Requirements for collecting and preserving evidence

• Rules for evidence, admissibility of evidence, and quality and completeness of evidence

• The consequences of any contamination of evidence following a security incident

• Consider enlisting the help of third-party specialists if detailed forensic skills are needed

The CISM must know


5/6/2016© 2016 Firebrand

Post Event Reviews

• Use information gathered to improve response procedures

• Do reviews with all affected staff

• Follow up on all lessons

Post Event Reviews allow lessons learned to be applied to future incidents


5/6/2016© 2016 Firebrand

Disaster Recovery Planning (DRP) and Business

Recovery Processes

Disaster recovery has traditionally been defined as the recovery of IT systems from disastrous events

Business recovery (resumption) is defined as the recovery of the critical business processes necessary to continue or resume operations.


5/6/2016© 2016 Firebrand

Development of BCP and DRP

Each of these planning processes typically includes several main phases, including:

• Risk and business impact assessment

• Response and recovery strategy definition

• Documenting response and recovery plans

• Training all users and response teams

• Updating response and recovery plans

• Testing response and recovery plans

• Auditing response and recovery plans


5/6/2016© 2016 Firebrand

Plan Development

Plan development factors include:

• Pre-incident readiness

• Evacuation procedures

• How to declare a disaster

• Identifying the business processes and IT resources that should be recovered

• Identifying the responsibilities in the plan


5/6/2016© 2016 Firebrand

Plan Development cont.

• Identifying contact information

• The step-by-step explanation of the recovery options

• Identifying the various resources required for recovery and continued operations

• Ensuring that other logistics such as personnel relocation and temporary housing are considered

Plan development

factors include:


5/6/2016© 2016 Firebrand

Developing Response

and Recovery Plans

•Available resources

•Expected services levels

•Types, kinds, and severity of threats faced by the organization

Factors to consider

when developing response

and recovery

plans include:


5/6/2016© 2016 Firebrand

Recovery Strategies

Recovery strategies must be sustainable for the entire period of recovery until business processes

are restored to normal

• Doing nothing until recovery facilities are ready

• Using manual procedures / workarounds

• Focusing on the most important customers, suppliers, products, and systems with resources that are still available

Strategies may

include:


5/6/2016© 2016 Firebrand

Recovery Strategies

•The ability to recover within acceptable recovery times at a reasonable cost

•Which recovery strategies are available

•Several options may be considered including outsourcing of certain functions

The most appropriate

recovery strategy is based on:


5/6/2016© 2016 Firebrand

Basis for

Recovery Strategy Selections

Response and recovery strategy plans should be based on the following considerations:

• Interruption window

• RTOs

• RPOs

• Services delivery objectives (SDOs)

• Maximum tolerable outages (MTOs) / Maximum Tolerable Period of Disruption (MTPD)

• Location

• Nature of probable disruptions


5/6/2016© 2016 Firebrand

Disaster Recovery Sites

Types of offsite backup hardware facilities available include:

• Hot sites

• Warm sites

• Cold sites

• Mobile sites

• Duplicate information processing facilities

• Mirror sites


5/6/2016© 2016 Firebrand

Disaster Recovery Sites cont.

Criteria for selecting alternate sites for processing in the event of a disaster

include:

• The recovery site should not be subject to the same disaster(s) as the primary site

• Availability of similar hardware /software

• Ability to move people and resources to the recovery location

• Ability to test the recovery strategy


5/6/2016© 2016 Firebrand

Recovery

of Communications

Recovery of IT facilities involves

telecommunications and network recovery

• Alternative / Diverse routing

• Long-haul network diversity

• Voice recovery

• Availability of appropriate circuits and adequate bandwidth

• Availability of out-of-band communications in case of failure of primary communication methods


5/6/2016© 2016 Firebrand

Notification Requirements

• Representatives of equipment and software vendors

• Contacts within companies that have been designated to provide supplies and equipment or services

• Contacts at recovery facilities, including hot-site representatives or predefined network communications rerouting services

Plan should

include a call tree with a

prioritized list of

contacts


5/6/2016© 2016 Firebrand

Notification

Requirements cont.

Plan should include a call tree with a prioritized list of

• Contacts at off-site media storage facilities and the contacts within the company who are authorized to retrieve media from the off-site facility

• Insurance company agents

• Contacts at human resources (HR) and/or contract personnel services

• Law enforcement contacts


5/6/2016© 2016 Firebrand

Response Teams

Number of teams depends upon size of organization and magnitude of operations - examples include:

• The emergency action team

• Damage assessment team

• Emergency management team

• Relocation team

• Security team


5/6/2016© 2016 Firebrand

Insurance

Types of insurance coverage

• IT equipment and facilities

• Media (software) reconstruction

• Extra expense

• Business interruption

• Valuable papers and records

• Errors and omissions

• Fidelity coverage

• Media transportation


5/6/2016© 2016 Firebrand

Testing Response

and Recovery Plans

Testing must include:

• Developing test objectives

• Executing the test

• Evaluating the test

• Developing recommendations to improve the effectiveness of testing processes as well as response and recovery plans

• Implementing a follow-up process to ensure that the recommendations are implemented


5/6/2016© 2016 Firebrand

Types of Tests

Tests can include:

•Desk check / Table-top walk-through of the plans

•Table-top walk-through with mock disaster scenarios (simulation tests)

•Testing the infrastructure and communication components of the recovery plan

•Testing the infrastructure and recovery of the critical applications (parallel tests)

•Full restoration and recovery tests with some personnel unfamiliar with the systems


5/6/2016© 2016 Firebrand

Test Results

The test should strive to:

• Verify the completeness and effectiveness of the response and recovery plans

• Evaluate the performance of the personnel involved in the exercise

• Evaluate the coordination among the team members and external vendors and suppliers

• Indicate areas where improvements to the plan are necessary


5/6/2016© 2016 Firebrand

Test Results cont.

• Measure the ability and capacity of the backup site to perform required processing

• Ensure vital records / data can be retrieved

• Evaluate the state and quantity of equipment and supplies that have been relocated to the recovery site

• Measure the overall performance of operational and information systems related to maintaining the business entity

The test should strive

to:


5/6/2016© 2016 Firebrand

Plan Maintenance Activities

The BCP and DR plans must be maintained through:

• Developing a schedule for periodic review and maintenance of the plan

• Updating plan with personnel changes, phone numbers and responsibilities or status within the company

• Updating the plan whenever significant changes have occurred

• Organizational change

• Results of tests or incidents


5/6/2016© 2016 Firebrand

BCP and DRP Training

Training must be provided for all staff dependent on their responsibilities:

• Develop a schedule for training personnel in emergency and recovery procedures

• Users

• Team members

• Local business unit liaisons

CISM - Firebrand Training · 5/6/2016 © 2016 Firebrand Ensure that the CISM candidate… Establish...

Documents

Transcript of CISM - Firebrand Training · 5/6/2016 © 2016 Firebrand Ensure that the CISM candidate… Establish...