- You are the CISO of your company. You have implemented an incident response program to handle security incidents. The on-premise ERP system gets in trouble and becomes unresponsive. The availability of the ERP system has been harmed. To which of the following should the ERP users report this incident?
A. Service Desk
B. Network Administrator
C. Chief Information Officer (CIO)
D. Computer Security Incident Response Team (CSIRT) - You are the CISO of your company. You have implemented an incident response program to handle security incidents. Your online e-commerce web site is suffering distributed denial-of-service (DDoS) attack. The incident response team received a report from users that the e-commerce web site is offline and unreachable. What should the incident response team do first?
A. Collect and preserve evidence
B. Report to the senior management
C. Document and prioritize the incident
D. Contain, Eradicate, and Recover
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
The following is my answers:
Question #1: A. Service Desk
Question #2: C. Document and prioritize the incident
Question #1
This question is designed from the perspective of the security function. If you are a CISO, how do you handle the relationship with the CIO, or how do you define the roles and responsibilities of your security function?
It’s common for enterprises to implement ITIL. Service Desk, Incident Management, and Problem Management are basic building blocks. The IT department handles incidents to maintain IT service level, while security guys take care of security incidents to achieve the CIA objectives and support business processes. As a CISO, how do you define which incidents belong to the IR team so that the security guys and the IT department can work together smoothly?
An On-premise ERP incident is typically viewed as an IT incident. However, it’s also a good practice to report an incident to the Service Desk first; the support staff can dispatch the incident to the appropriate team for further treatment if necessary.
That’s why I suggest “A. Service Desk” as the correct answer.
Question #2
This question is designed based on the NIST Incident Response Life Cycle. Please refer to NIST SP 800-61R2 for details.
Incident Response Life Cycle
You have to do the “triage” work (Detection and Analysis phase in NIST) before you get your hands dirty to “respond” to the incident (Containment, Eradication, and Recovery phase in NIST).
Triage (Detection and Analysis)
- Analyze and validate if the incident report is true
- If it is true, document and prioritize it.
- Report to the appropriate level according to the Incident Response Plan. (Please refer to Alex Varghese’s Justification below for more information)
Respond (Containment, Eradication, and Recovery)
- Collect and preserve evidence before you start to handle the incident
- Contain, Eradicate, and Recover
Incident Response Checklist
Source: the Incident Response Life Cycle and Incident Response Checklist are screenshots from the NIST SP 800-61R2.
Incident Response Approaches
- Incident Response Steps Comparison Guide for SANS and NIST
- Summary of Incident Response Process
Summarized by Wentz Wu
Reminders
Outline Bullets Imply But Are Not the Logical Process
The incident response steps in Sybex and AIO follow the CISSP Exam Outline as follows:
The CISSP Exam Outline
- Is it arranged strictly in a logical way? I don’t think so. It seemingly conflicts the NIST incident response life cycle in some aspect, e.g. reporting. If you are studying the study guides from Sybex or AIO, think in-depth about it and I am sincerely expecting that you share your perspectives with us.
- The following is a similar question from IT Dojo:
CISSP Practice Questions of the Day from IT Dojo – #99 – Security Incidents & Bell-Lapadula
Incident Management and Incident Response
- In CISM, it distinguishes “Incident Management” from “Incident Response”.
Alex Varghese’s Justification
Thank you, Alex. Your justification is awesome.
More Thinking Points
- Security process integration is a major concern in terms of information security governance. As a CISO or champion, how do you integrate the security incident response with the service desk and the incident management given ITIL is implemented by the IT department?
- Not every incident is created equal. As a CISO or champion, how do you define and categorize security incidents, evaluate their impacts, and determine the reporting escalation in your incident response plan? When is the decision to be made to warrant forensic investigation?
Share to Learn
No one knows everything or anything. Let’s share to learn together!