CISM Domain 4: Information Security Incident Management (ISIM) [Updated 2019]
This domain review covers the areas of knowledge that CISM candidates must grasp in order to be able to establish an effective program to respond to and subsequently manage incidents that threaten an organization’s information systems and infrastructure.
Candidates will be tested on their ability to identify, analyse, manage and respond effectively to unexpected events that may adversely affect the organization’s information assets and its ability to operate.
In our general overview article on the primary domains of CISM, we discussed the different domains that the CISM candidate encounters while taking the exam, giving only a cursory discussion of ISIM concepts. In this article, we will gain a deeper understanding of the domain and discuss what candidates will need to know to prepare for the examination.
Information Security Incident Management Objectives
The primary purpose of incident management and response is to identify and respond to unexpected disruptive events with the objective of controlling the impacts within acceptable levels.
Candidates will be tested on their ability to manage and contain disruptions, including technical disruptions (such as those caused by viruses, system intrusions, denial of service), environmental disruptions (fires, earthquakes and storms), and the broad category of accidents, mistakes and intentional acts (theft, embezzlement, fraud, extortion and espionage). Basically, any type of incident that can significantly affect the organization’s ability to operate or that may cause damage must be considered as part of incident management and response capabilities.
Candidates should bear in mind that the extent of incident management and response capabilities must be carefully balanced with baseline security, business continuity and disaster recovery. For instance, if there is no response capability, it may be wise to raise baseline security levels.
The goal of incident management and response can therefore be summarized as:
- Detect incidents quickly
- Diagnose incidents accurately
- Manage incidents properly
- Contain and minimize damage
- Determine root causes
- Implement improvements to prevent recurrence
- Document and report
- Restore affected services
Candidates must know the point at which incidents become a problem, and when the inability to adequately address a problem calls for the declaration of a disaster. It is also important to achieve senior management and stakeholder consensus for an effective incident management capability.
Candidates need to know how different organizations approach BCP and disaster recovery, as these may vary, although in most cases they collaborate. The overseer of each event must be clearly defined, and the criteria followed must be consistent, concisely described, and easy to understand so that severity levels of a similar magnitude will be uniformly determined.
Concerning the need for incident response, business continuity (BC) and disaster recovery (DR) need to work together. Candidates will need to grasp the following topics:
- Incident response procedures
- Business continuity and disaster recovery procedures
- Testing of plans
- Post incident and event activities and investigations
Outcomes of Incident Management
Candidates will need to know the characteristics of good incident management and response, as exercised in an organization. A hypothetical scenario is discussed below:
An organization with an effective incident management can effectively deal with unanticipated events that might threaten to disrupt the business. It will have sufficient and adequate detection and monitoring capabilities to ensure that incidents are detected in a timely manner. In such an organization, there will be a well-defined severity and declaration criteria as well as defined escalation and notification processes. Personnel will be trained in the recognition of incidents, the application of severity criteria and proper reporting and escalation procedures. The organization will provide monitoring and metrics to gauge performance of incident management and response capabilities, and it will periodically test its capabilities and ensure that information and plans are updated regularly, are current and accessible when needed.
Candidates can guarantee that such an organization will ensure:
- Information assets are adequately protected and the risk level is within acceptable limits
- Effective incident response plans are in place and are understood by the relevant. stakeholders; these include management, IT departments, end users and incident handlers.
- Incidents are identified and contained and the root cause is addressed to allow recovery within an acceptable interruption window (AIW).
- There is good control of communication flows to different stakeholders and external parties as documented in the communication plan.
- Lessons learned are documented and shared with stakeholders to increase the level of security awareness and serve as a basis for improvement.
- Assurance is provided to internal and external stakeholders; these may include customers, suppliers, and business partners. By providing assurance, the organization builds confidence that it has adequate control and is prepared to ensure long term business survivability.
Therefore, depending on the organization at hand, the roles in BCP/DR, BCP/DRP and incident response that successful candidates will face will vary considerably. It is important that candidates develop a good conceptual and practical understanding of what is required to adequately address the different responsibilities.
Incident Response Technology Concepts
Candidates must be familiar with the different concepts and technologies relevant to incident response. This is one area that candidates will need to display a firm grasp in. The following technologies will be examined:
Security principles: Candidates will be required to show a general understanding of basic security principles such as confidentiality, availability, authentication, integrity, access control, privacy, nonrepudiation and compliance. These will allow candidates to understand the potential problems that may occur in case appropriate security measures have not been implemented correctly.
Security vulnerabilities: Candidates must understand how any specific attacks are manifested in a given hardware or software technology. Some of the most common types of vulnerabilities and associated attacks involve physical security issues (tailgating), protocol design flaws (man-in-the-middle attacks and spoofing), malicious code (viruses, worms and Trojan horses), implementation flaws (buffer overflows and race conditions), configuration weaknesses (information disclosures) and user errors or lack of awareness (phishing and social engineering attacks fall here).
The internet: Candidates need a general understanding on the weaknesses that underlying protocols are subject to on the internet. This helps prepare for future attacks. The following technologies that enable the internet should be addressed within the incident response program:
- Network protocols. The common (core) network protocols including Internet Protocol (IP), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), Address Resolution Protocol (ARP) and Reverse Address Resolution Protocol (RARP). Candidates need to understand how these protocols are used, the common types of attacks against them and strategies to mitigate attacks against them.
- Network applications and services. Candidates must understand secure configurations, usage and abuses against these technologies. They include domain name system (DNS), network file system (NFS), and secure shell (SSH).
- Network security issues. Candidates need to be able to recognize vulnerable points on a network configuration. Points of interest would include basic perimeter security. This would require knowledge on network firewalls (port filtering, design, proxy systems, bastion hosts, demilitarized zone [DMZ]), routers (packet monitoring and sniffers) or threats leading to accepting untrustworthy information.
Operating systems: Candidates will require knowledge of operating systems such as UNIX, Windows, MAC, Linux and Android and any other operating systems that are used by the team or organization. Candidates will be required to be able to harden the system against attacks, review configuration files for weakness, identify common OS attack methods, review log files or anomalies, analyse results of attacks, manage system privileges and recover from a compromise.
Malicious code: Candidates will be required to possess basic understanding of how malicious code operates. Malicious code such as viruses, worms, Trojan horses have different payload types that can have varied results against a system that may for example include denial of service, website defacements, or multifaceted attack vectors (such as ransomwares). These programs may traverse through different methods and candidates will be required to understand that as well.
Programming skills: Candidates will be required to understand the impact of the different programming languages allowed within the organization and how they can be abused or improved on. Poorly implemented code and design practices may be an attack vector against the organization and is something that should be considered.
If you are interested in CISM bootcamp-style training too, click here to receive an overview of what the course offers you and the current pricing. The course allows candidates to develop the necessary skill set to fit into the current and ever-growing information security industry, and is in line with today’s acceptable industry standards.
After passing the examination, candidates will possess the necessary skill set to respond effectively to unexpected events within the organization. They will have the ability to identify different attack vectors that could lead to undesirable consequences within the organization. They will also be able to address these situations by providing valuable insight and input that will result in potential risks reduced to acceptable levels according to organizational objectives.