CISM Chapter 5 – Incident Management and Response

Incident Management and Response (IM&R) accounts for 14 percent of the CISM exam or about 28 questions.  This is the final domain covered in the Certified Information Security Manager (CISM) material. In my opinion it’s the most important.  Most important because if you can’t recover from an incident or a disaster, you’re out of business.

There are ten (10) task statements for IM&R and seventeen (17) knowledge statements.  The 10 task statements are:

  1. Develop and implement processes for detecting, identifying, analyzing and responding to information security incidents.
  2. Establish escalation and communication processes and lines of authority.
  3. Develop plans to respond to, and document, information security incidents.
  4. Establish the capability to investigate information security incidents (e.g. forensics, evidence collection and preservation, log analysis, interviewing).
  5. Develop a process to communicate with internal parties and external organizations (e.g., media, law enforcement, customers).
  6. Integrate information security incident response plans with the organization’s disaster recovery (DR) and business continuity plan.
  7. Organize, train, and equip teams to respond to information security incidents.
  8. Periodically test and refine information security incident response plans.
  9. Manage the response to information security incidents.
  10. Conduct reviews to identify causes of information security incidents, develop corrective actions and reassess risk.

There are nine “Suggested Resources” in Chapter 5.  Of those there are four which you should have in your personal library, and should read, as several questions on the exam comes from this material.

  1. Burtles, Jim; Principles and Practice of Business Continuity, Tools and Techniques, Rothstein Associates Inc., USA, 2007
  2. Graham, Julia; David Kaye;  A Risk Management Approach to Business Continuity, Rothstein Associates Inc., USA, 2006
  3. Hiles, Andrew; The Definitive Handbook of Business Continuity Management, 2nd Edition; John Wiley & Sons Inc., USA, 2007
  4. Snedaker, Susan; Business Continuity & Disaster Recovery Planning for IT Professionals, Syngress Publishing Inc., USA, 2007

The purpose of incident management and response is to manage and respond to unexpected disruptive events with the objective of controlling impacts within acceptable levels.

Incident management and response is a part of business continuity planning the same as disaster recovery is part of business continuity planning.  From ISACA’s point of view there are seven areas of incident management and response they want you to know and to know IN SEQUENCE:

  1. Detect incidents quickly
  2. Diagnose incidents accurately
  3. Manage them properly
  4. Contain and minimize damage
  5. Restore affected services
  6. Determine root causes
  7. Implement improvement to prevent recurrence

Senior management will need to be involved with the planning process for several area involved with IM&R:

  1. Incident detection capabilities
  2. Clearly defined severity criteria
  3. Assessment and triage capabilities
  4. Declaration criteria
  5. Scope of incident management
  6. Response capabilities

The most important of these is “Declaration criteria.”  Declaring a disaster when a limited response would suffice can waste time and resources and make you look incompetent.

One of the outcomes of IM&R is that with good training, planning and testing you will ensure that incidents are identified and contained, and the root cause is addressed to allow recovery within an acceptable interruption window (AIW).  HINT: AIW=acceptable interruption window.  We mentioned this in a previous CISM article.As I’ve mentioned before, if ISACA repeats itself, you can anticipate seeing it on the exam.

There are three technologies you should associate with IM&R.  They are network incident detection systems (NIDS), host intrusion detection system (HIDS) and logs (these can be for a system, database, OS or application).  And you probably want to know that SIEM (system information and event management) is a way of managing those HIDS/NIDS/logs.

So what are the objectives of IM&R?  There are really three:

  1. Handle incidents when they occur
  2. Prevent previous incidents from recurring
  3. Deploy proactive countermeasures to prevent/minimize the probability

When we talk about incident management metrics and indicators the same six topics come up as we’ve seen in previous articles:

  1. Strategic Alignment
  2. Risk Management
  3. Assurance Process Integration
  4. Value Delivery
  5. Resource Management
  6. Performance Measurement

So now that we’ve got the basics out of the way, let’s look at five sets of procedures you need to have in place for IM&R.

  1. You’ll need to have procedures for how you prepare for IM&R;
  2. procedures for how you protect the infrastructure;
  3. procedures for how you detect events (remember SIEM);
  4. procedures for how you triage events;
  5. and finally procedures for how you respond.

As is the case with any plan, there are always the challenges of management support, misalignment with organizational goals, staff turnover, lack of communication and the more basic challenge of having a plan that is too broad and doesn’t have enough depth.

ISACA in their CISM Review Manual has a full page exhibit dedicated to the roles and responsibilities of the IM&R team members.  It’s Exhibit 5.2 and you should pay particular attention to the Information Security Manager’s role and responsibility as well as that of the Business Manager.

Where does it all begin?  It all begins with a Business Impact Analysis (BIA) (HINT – - you might see this again), which lists all the business functions and from which will come a listing of essential functions.  These essential business functions are the ones that will require IM&R and will require disaster recovery.

When we talk about the Incident Response Plan (IRP), there is a set sequence of events that you will need to memorize, something like which came first the chicken or the egg.  It goes like this: PICERL, that’s Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

So let’s talk a little about the Recovery piece and what you will need to know for the exam.  There are six types of recovery sites:

  1. Hot sites
  2. Warm sites
  3. Cold sites
  4. Mobile sites
  5. Mirror sites
  6. Duplicate information processing facilities

You should be familiar with the pros and cons of each, as well as, what constitutes each, particularly the difference between hot and warm and should you see “Reciprocal Agreements” know that is a subset of duplicate information processing facilities.  As a footnote to these six, each has an associated cost, some are more expensive that others. If you were asked which is the most expensive, you should be able to pick one out of the four answers based on your knowledge of all six.

In recovery, one of the pieces is network recovery and you should be familiar with the concepts of; redundancy, alternative routing, diverse routing, long-haul network diversity, last-mile circuit protection and voice recovery.  When you look these up make sure you understand the difference between alternative routing and diverse routing.

As is the case with any plan, they need to be tested, and recovery is no exception.  The different types of tests associated with recovery are: Checklist review; structured walkthrough; simulation test; parallel test and full interruption test.  One of the things that should come out of all this testing is a verification of the RTO/RPO parameters which were specified in the BIA.  For example, if a particular business functional area wants there applications restored in four hours and IT says it can’t rebuild a server from scratch in less than eight hours then some decisions need to be made as to how to meet the RTO and/or is the RTO valid.

As a parting comment on IM&R, there is always the possibility that you will need to have evidence, especially if the incident is malicious and has the potential for going to trial.  So in your IM&R plan, you need to account for evidence, protecting it, maintaining chain of custody and all the details that go into preparing for a case to go to court.  An incident as simple as someone hacking in through an open port on the firewall, your discovery of that open port and your immediate reconfiguration of the firewall rules to block traffic on that port without taking a forensically appropriate image copy could destroy a court case.  So be sure to include forensic evidence collection as part of your IM&R plan.

I’ve enjoyed writing these articles about CISM and I hope you’ve enjoyed reading them.  Good luck on the exam and I look forward to seeing your new signature block with the letters “CISM” appended.

J Kenneth Magee

P.S. To review the other CISM Domains, you can find links to those reviews here.