2003 CISM Review Course Chapter 5 Response Management

2003 CISM™ Review Course Chapter 5 Response Management © 2003 ISACA

Chapter Overview This Area is comprised of 6 Task Statements & 10 Knowledge Statements 2003 CISM Review Course Chapter 5 - page 2 © 2003 ISACA

Chapter Objective Ensure that the CISM knows how to… “Develop policies and procedures that will enable an organization to respond to and recover from disruptive and destructive information security events” 2003 CISM Review Course Chapter 5 - page 3 © 2003 ISACA

Chapter Summary According to the CISM Certification Board, this area will represent approximately 13% of the CISM examination (approximately 26 questions) 2003 CISM Review Course Chapter 5 - page 4 © 2003 ISACA

Task 1 Develop and implement processes for detecting, identifying and analyzing security-related events • The information security manager should: • employ a number of different mechanisms to detect securityrelated events such as monitoring incident reporting websites, monitoring the news organizations, monitoring user organizations and monitoring the hardware and software vendors • consider various vendor services that provide notifications of security-related events to organizations The manager can implement automated detection services, such as in-house or managed intrusion detection services, to monitor attempts to access the organization’s information resources • perform detecting and monitoring procedures on a regular basis • analyze security events and assess their impact upon the organization’s information resources and modify the security program as necessary 2003 CISM Review Course Chapter 5 - page 5 © 2003 ISACA

Task 2 Develop response and recovery plans including organizing, training and equipping the teams • The information security manager should: • use a risk assessment to identify those resources that are most important to the organization • identify resources required to continue the business, should a business interruption occur • develop and investigate response and recovery strategies • gain senior management approval • oversee the development of comprehensive response and recovery plans • assign team members • The information security manager should develop event scenarios and test the response and recovery plans to ensure that the team participants are familiar with their responsibilities 2003 CISM Review Course Chapter 5 - page 6 © 2003 ISACA

Task 3 Ensure periodic testing of the response and recovery plans where appropriate • The information security manager should implement periodic testing of the response and recovery plans. The testing should include: • • Developing test objectives Evaluating the test Developing recommendations to improve the response and recovery plans Implementing a follow-up process to ensure that the recommendations are implemented • Response and recovery plans that have not been tested present the organization with a risk that the plans may not work • Once the test objectives have been defined, the information security manager should ensure that an independent third party is present to monitor and evaluate the test • The information security manager also should implement a tracking process to ensure that the recommendations are implemented in a timely fashion 2003 CISM Review Course Chapter 5 - page 7 © 2003 ISACA

Task 4 Ensure the execution of response and recovery plans as required • A facilitator or director is needed to direct the tasks within the plans, oversee their execution, liaison with senior management and make decisions as necessary • The information security manager may or may not be the person to act as the recovery plan director or coordinator, but should assure the role is assigned to someone who can perform this important function • Important in the overall process is defining appropriate recovery strategies and alternatives 2003 CISM Review Course Chapter 5 - page 8 © 2003 ISACA

Task 4 (cont) • Testing of the plans also helps ensure that the plans can be executed as required. By testing the plans in a scenario, recovery personnel become more familiar with the tasks and their responsibilities within the plan • The information security manager also can appoint an observer who will record the progress and document any exceptions that occur during an actual execution of the plan • Then, through a post-event review, the information security manager and key recovery personnel can review the observations and make adjustments to the plan accordingly • Finally, since organizations constantly evolve and change, the information security manager must establish a process in which recovery plans are updated 2003 CISM Review Course Chapter 5 - page 9 © 2003 ISACA

Task 5 Establish procedures for documenting an event as a basis for subsequent action including forensics when necessary • For when an incident may occur: • the information security staff needs to have documented procedures so that the information can be recorded and the data preserved. • the information security manager should develop data preservation procedures with the advice and assistance of legal counsel, the organization’s managers and knowledgeable law enforcement officials • there a few basic actions the information systems staff must understand including taking no actions that could change/modify/contaminate potential or actual evidence 2003 CISM Review Course Chapter 5 - page 10 © 2003 ISACA

Task 5 (cont) • Initial response by the system administrator includes: • Retrieving information to confirm incident • Identifying the scope and size of the affected environment (networks, machines / systems, applications) • Determining the loss, modifications or damage (if any) • Identifying the possible path or means of attack • Backing up all possible sources of evidence or relevant information 2003 CISM Review Course Chapter 5 - page 11 © 2003 ISACA

Task 6 Manage post-event reviews to identify causes and corrective actions • The information security manager should manage post-event reviews to learn from the completed tasks and to use the information to improve the organization’s response procedures • The information security manager may perform these reviews with the help of third-party specialists should detailed forensic skills be needed • The security event may not always involve an outside attack, or even an internal attack, but also can be the result of a failure in the security controls implemented within the security program • An event review team should be established • This team would be able to review the evidence and develop recommendations to enhance the security program 2003 CISM Review Course Chapter 5 - page 12 © 2003 ISACA

Knowledge Statement 1 Knowledge of the components of an incident response capability • An effective incident response capability not only reacts to incident events but, if defined and managed properly, can be used as a proactive control • By dealing with the incident in a timely and effective manner and assessing the results, recommended changes may be made to improve the organization’s security program 2003 CISM Review Course Chapter 5 - page 13 © 2003 ISACA

Knowledge Statement 1(cont) • Incident response may vary in approach depending on the situation, but the goals are constant. These goals can include: • Recovering quickly and efficiently from security incidents • Minimizing impact of the security incident • Responding systematically and decreasing the likelihood of reoccurrence • Balancing operational and security • Dealing with legal issues • The information security manager also needs to define what constitutes an incident. Typically, incidents include: • Malicious code attacks • Unauthorized access • Unauthorized utilization of services • Denial/disruption of service • Misuse • Espionage • Hoaxes/social engineering 2003 CISM Review Course Chapter 5 - page 14 © 2003 ISACA

Knowledge Statement 2 Knowledge of information security emergency management practices (e. g. , production change control activities, development of computer emergency response team) • The information security manager should: • understand the various activities involved in an information security emergency management program • meet with emergency management officials (federal, state/provincial, municipal/local) to understand what governmental capabilities exist • Emergency management activities typically focus around the activities immediately after an event • Emergency management activities typically include measures to assure the safety of personnel such as evacuation plans and creation of a command center from which emergency procedures can be executed • It also is important that information about an incident only be communicated on a need-to-know basis 2003 CISM Review Course Chapter 5 - page 15 © 2003 ISACA

Knowledge Statement 3 Knowledge of disaster recovery planning and business recovery processes • The information security manager should understand the processes of disaster recovery and business recovery planning as information resources are affected by a business interruption event • Disaster recovery traditionally has been defined as the recovery of information technology systems • Business recovery is defined as the recovery of the critical business processes necessary to achieve the key business processes. Business recovery includes disaster recovery but has broader coverage as the organization’s business processes and resources must be included. • Each of these planning processes typically include several main phases including: – Risk assessment and business impact assessment – Recovery strategy definition – Documentation of recovery plans – Testing of recovery plans 2003 CISM Review Course Chapter 5 - page 16 © 2003 ISACA

Knowledge Statement 3 (cont) • Since organizations are dynamic and subject to constant changes, the recovery process must assure that plans are updated continuously and adapted to ensure they reflect the current objectives and conditions of the organization • Senior management approval of the recovery strategy is an important step • The information security manager will define the procedures to determine the recovery time objective of the various business processes and work to develop recovery strategies that meet that business need 2003 CISM Review Course Chapter 5 - page 17 © 2003 ISACA

Knowledge Statement 3 (cont) • The information security manager also needs to be concerned with helping the organization define the recovery point objective (RPO) • The RPO describes the age of the data that the organization needs to have the ability to restore in the event of a disaster. The information security manager will need to balance meeting the business recovery needs against the cost of the recovery capability • The information security manager also needs to ensure that information security is incorporated in any recovery strategy that is implemented to ensure that the information resources are protected even in the event of a business interruption 2003 CISM Review Course Chapter 5 - page 18 © 2003 ISACA

Knowledge Statement 4 Knowledge of disaster recovery testing for infrastructure and critical business applications • Testing of the recovery plans needs to include infrastructure and critical applications • The information security manager should secure these systems during a disaster event • Based on the risk assessment and business impact information, the information security manager will identify critical applications the organization requires and the infrastructure needed to support them • To ensure that these will be recovered in a timely fashion, the information security manager needs to perform recovery tests 2003 CISM Review Course Chapter 5 - page 19 © 2003 ISACA

Knowledge Statement 4 (cont) • Generally the information security manager performs tests that will progressively challenge the recovery plans. Examples include: • “Table top” walk-throughs of the plans • “Table top” walk-throughs with mock disaster scenarios • Testing of the infrastructure and communication components of the recovery plan • Testing of the infrastructure and recovery of the critical applications • Testing of the infrastructure, critical applications and involvement of the end-users • Surprise tests 2003 CISM Review Course Chapter 5 - page 20 © 2003 ISACA

Knowledge Statement 4 (cont) • This testing process enables the information security manager to gain momentum and achieve initial successes and modify the plan based on information gained from the initial tests • Performing a robust test costs resources and requires the coordination of various departments. A minor error or mishap (e. g. , a missing set of backup media) could make completing the full test impossible • In case the normal business operations are destroyed or inaccessible, the manager needs to have alternative operating strategies based on the recovery strategy • The information security manager also should report to senior management on the recovery capability of the organization 2003 CISM Review Course Chapter 5 - page 21 © 2003 ISACA

Knowledge Statement 5 Knowledge of escalation process for effective security management • The information security manager should implement an escalation process for effective security management • A detailed description of the escalation process should be documented. • The escalation process should include the prioritizing of event information and the decision process for determining when to alert various groups, including senior management, the public, shareholders and stakeholders, legal counsel, human resources, vendors and customers • An escalation process also is important if the organization utilizes vendor security services. An escalation process should be agreed to with the vendors so that appropriate notification/information sharing takes place during and after an event • The information security manager also should have a mechanism to communicate crisis or event information 2003 CISM Review Course Chapter 5 - page 22 © 2003 ISACA

Knowledge Statement 6 Knowledge of intrusion detection policies and processes • The information security manager should understand the intrusion detection policies and procedures including some basic requirements such as: • Requiring that the system is fault tolerant and is itself suitably secure against attack • Requiring that it runs continuously • Requiring that it is easily modified and can adapt to changes • Requiring that it does not impose excessive overhead • Requiring that it detects anomalies • A company should use an intrusion detection system that combines both host and network-based sensors suitably placed to provide adequate coverage of the network typology • Most systems can be set up to contact the security staff in the event suspicious activity is detected 2003 CISM Review Course Chapter 5 - page 23 © 2003 ISACA

Knowledge Statement 6 (cont) • Intrusion detection policies and procedures should include: • • • Identifying the vulnerability used by the perpetrator Recording logs and making a backup of systems impacted Identifying motivation for attack Determining if other systems were compromised Determining if any viruses were left behind or if any programs were left behind for future use • Documenting the steps taken to follow up on unusual activity • Assigning responsibilities for various aspects of the intrusion detection process • The information security manager should define the goals, objectives and priorities for the intrusion detection systems and assess the alternative that will best fulfill these requirements 2003 CISM Review Course Chapter 5 - page 24 © 2003 ISACA

Knowledge Statement 6 (cont) • The information security manager should understand the complete costs of implementing such a security control, as resources will need to be assigned to implement, monitor and respond to the alarms generated by these tools • The information security manager should determine the appropriate mix between externally managed security services providers to manage the organizations intrusion detection systems and internal staff to achieve timely and knowledgeable reaction to malicious activity 2003 CISM Review Course Chapter 5 - page 25 © 2003 ISACA

Knowledge Statement 7 Knowledge of help desk processes for identifying security incidents reported by users and distinguishing them from other issues dealt with by the help desks • The information security manager should have processes defined for help desk personnel to identify a typical help desk request from a possible security incident • In addition to identifying the possible security incident, the help desk personnel should be aware of the procedures to report and escalate the issue 2003 CISM Review Course Chapter 5 - page 26 © 2003 ISACA

Knowledge Statement 8 Knowledge of the notification process in managing security incidents and recovery: (for example, automated notice and recovery mechanisms for example in response to virus alerts in a real-time fashion) • The information security manager should understand that having an effective and timely security incident notification process is a critical component of an effective security program • Mechanisms exist that enable an automated detection system or monitor to send e-mail or phone messages to designated personnel 2003 CISM Review Course Chapter 5 - page 27 © 2003 ISACA

Knowledge Statement 8 (cont) • These notification activities are only effective if knowledgeable personnel understand their responsibilities and react to them • The information security manager therefore needs to define the responsibilities and communicate them to key personnel 2003 CISM Review Course Chapter 5 - page 28 © 2003 ISACA

Knowledge Statement 9 Knowledge of the requirements for collecting and presenting evidence; rules for evidence, admissibility of evidence, quality and completeness of evidence • The information security manager should understand that any contamination of evidence following an intrusion could severely inhibit the organization’s ability to prosecute the perpetrator • In addition, the modification of data can inhibit the computer forensic activity necessary to identify the perpetrator and assess what was damaged • By inhibiting these activities, the organization may not be able to identify how the intrusion was completed and how the security program should be changed and enhanced to eliminate the risk of a similar intrusion in the future 2003 CISM Review Course Chapter 5 - page 29 © 2003 ISACA

Knowledge Statement 10 Knowledge of post-incident reviews and follow-up procedures • Understanding the purpose and structure of post-incident reviews and follow-up procedures will enable the information security manager to continuously improve the security program • A consistent methodology should be adopted within the security organization so that when a problem is found, an action plan is developed to reduce/mitigate the vulnerability • A consistent process will limit the amount of time personnel are reacting to security incidents so they are able to spend more time on proactive activities 2003 CISM Review Course Chapter 5 - page 30 © 2003 ISACA

Chapter 5: Glossary • • • Business impact analysis (BIA) Disaster recovery plan walkthrough Forensic examination Mirrored site Passive response Threat analysis 2003 CISM Review Course Chapter 5 - page 31 © 2003 ISACA

Sample Question The FIRST step in beginning a business continuity process should be to: A. identify alternative processing sites. B. determine suitable insurance. C. establish the business objectives of information processing facilities. D. perform a business impact analysis. 2003 CISM Review Course Chapter 5 - page 32 © 2003 ISACA

Chapter 5: Recap • Group discussion • Questions 2003 CISM Review Course Chapter 5 - page 33 © 2003 ISACA