Questions of the Day – 20190815

CISSP Practice Questions

  1. You are the CISO of your company. You have implemented an incident response program to handle security incidents. The on-premise ERP system gets in trouble and becomes unresponsive. The availability of the ERP system has been harmed. To which of the following should the ERP users report this incident?
    A. Service Desk
    B. Network Administrator
    C. Chief Information Officer (CIO)
    D. Computer Security Incident Response Team (CSIRT)
  2. You are the CISO of your company. You have implemented an incident response program to handle security incidents. Your online e-commerce web site is suffering distributed denial-of-service (DDoS) attack. The incident response team received a report from users that the e-commerce web site is offline and unreachable. What should the incident response team do first?
    A. Collect and preserve evidence
    B. Report to the senior management
    C. Document and prioritize the incident
    D. Contain, Eradicate, and Recover


Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications. 

The following is my answers:
Question #1: A. Service Desk
Question #2: C. Document and prioritize the incident

Question #1

This question is designed from the perspective of the security function. If you are a CISO, how do you handle the relationship with the CIO, or how do you define the roles and responsibilities of your security function?

It’s common for enterprises to implement ITIL. Service Desk, Incident Management, and Problem Management are basic building blocks. The IT department handles incidents to maintain IT service level, while security guys take care of security incidents to achieve the CIA objectives and support business processes. As a CISO, how do you define which incidents belong to the IR team so that the security guys and the IT department can work together smoothly?

An On-premise ERP incident is typically viewed as an IT incident. However, it’s also a good practice to report an incident to the Service Desk first; the support staff can dispatch the incident to the appropriate team for further treatment if necessary.

That’s why I suggest “A. Service Desk” as the correct answer.

Question #2

This question is designed based on the NIST Incident Response Life Cycle. Please refer to NIST SP 800-61R2 for details.

Incident Response Life Cycle

Incident Response Life Cycle

You have to do the “triage” work (Detection and Analysis phase in NIST) before you get your hands dirty to “respond” to the incident (Containment, Eradication, and Recovery phase in NIST).

Triage (Detection and Analysis)

  1. Analyze and validate if the incident report is true
  2. If it is true, document and prioritize it.
  3. Report to the appropriate level according to the Incident Response Plan. (Please refer to Alex Varghese’s Justification below for more information)

Respond (Containment, Eradication, and Recovery)

  1. Collect and preserve evidence before you start to handle the incident
  2. Contain, Eradicate, and Recover
Incident Handling Checklist

Incident Response Checklist

Source: the Incident Response Life Cycle and Incident Response Checklist are screenshots from the NIST SP 800-61R2.

Incident Response Approaches

Incident Response Process

Summarized by Wentz Wu

Reminders

Outline Bullets Imply But Are Not the Logical Process

The incident response steps in Sybex and AIO follow the CISSP Exam Outline as follows:

Conduct Incident Management

The CISSP Exam Outline

Incident Management and Incident Response

  • In CISM, it distinguishes “Incident Management” from “Incident Response”.

Alex Varghese’s Justification

Thank you, Alex. Your justification is awesome.

More Thinking Points

  • Security process integration is a major concern in terms of information security governance. As a CISO or champion, how do you integrate the security incident response with the service desk and the incident management given ITIL is implemented by the IT department?
  • Not every incident is created equal. As a CISO or champion, how do you define and categorize security incidents, evaluate their impacts, and determine the reporting escalation in your incident response plan? When is the decision to be made to warrant forensic investigation?

Share to Learn

No one knows everything or anything. Let’s share to learn together!

Join CISSP Made Easy!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s