Chapter 5.4

Question 1

Containment

Answer 1

Containment is a stage in the incident response lifecycle. In this stage, the goal is to limit the scope and reach of the event. One approach in containment is to isolate infected systems

Question 2

Recovery

Answer 2

Recovery is a stage in the incident response lifecycle. This stage ensures the threat no longer exists and all systems are brought back to a secure state.

Question 3

reporting requirements

Answer 3

The suspicion of data theft is typically enough to have to trigger reporting procedures. This involves notifying stakeholders, regulation entities, and customers if applicable.

Question 4

Escalation

Answer 4

Increased involvement of senior staff in the management of an incident is called escalation. Escalation may be necessary if no response is made to an incident within an acceptable time frame.

Question 5

Tabletop exercise

Answer 5

With a tabletop exercise, staff will “ghost” the same procedures as they would in a disaster, without actually creating disaster conditions or applying or changing anything.

Question 6

walkthrough exercise

Answer 6

Walkthroughs are used to provide basic awareness and training for disaster recovery team members. These exercises describe the contents of disaster recovery plans and other plans, and the roles and responsibilities outlined in those plans.

Question 7

Functional exercise

Answer 7

Functional exercises are implemented as action-based sessions where employees can validate all plans by performing scenario-based activities in a simulated environment.

Question 8

Full-scale exercise

Answer 8

Full-scale exercises are action-based sessions that reflect real situations. These exercises are held onsite and use real equipment and real personnel as much as possible.

Question 9

scope

Answer 9

The scope of an incident (broadly the number of systems affected) is not a direct indicator of priority. A large number of systems might be infected with a type of malware that degrades performance, but is not a data breach risk

Question 10

privacy officer

Answer 10

A privacy officer is responsible for oversight of any Personally Identifiable Information (PII) assets managed by a company. This role ensures that the processing and disclosure of PII complies with legal and regulatory frameworks and also oversees the retention of PII.

Question 11

eradication

Answer 11

Eradication is an incident response lifecycle phase pertaining to finding the root cause of an incident. For example, a user clicking a malicious link in an email is a root cause for a potentially larger problem.

Question 12

preparation

Answer 12

Preparing for an incident response means establishing the policies and procedures for dealing with security breaches, along with personnel and resources to implement those policies. A triage plan is developed during this phase.

Question 13

roles and responsibilities

Answer 13

roles and responsibilities can be defined and acted out in an exercise. Assigning solid roles and responsibilities avoids the possibility of confusion and missed steps during an incident response.

Question 14

COOP

Answer 14

Continuity of Operations (COOP) is a collection of processes that enable an organization to maintain normal business operations in the face of some adverse event. COOP is not part of the exercise process.

Question 15

data integrity

Answer 15

Data integrity is typically the most important factor in prioritizing incidents and will often be based on the value of the at-risk data.

Question 16

downtime

Answer 16

Downtime is the degree to which an incident disrupts business processes. An incident can either degrade (reduce performance) or interrupt (completely stop) the availability of an asset, system, or business process. An alternate business practice (paper and pen) can commonly be utilized while systems are down.

Question 17

after-action report

Answer 17

Lessons learned is a stage in the incident response lifecycle. During this stage, the incident and related actions are reviewed for what went right and what went wrong data. An after-actions report is a result of a lessons learned session.

Question 18

change management

Answer 18

Change management is a formal process that oversees change in an organization. Change can be proactive or reactive, and is usually executed for improvements.

Question 19

corrective action report

Answer 19

A corrective action report is a formal response setting out a plan to correct a defect in a system, such as a security vulnerability.

Question 20

lessons learned

Answer 20

Lessons learned is a stage in the incident response lifecycle. During this stage, the incident and related actions are reviewed for what went right and what went wrong data.

Question 21

identification

Answer 21

Identification is a stage in the incident response lifecycle. In this stage, it is determined whether an incident has taken place. The assessment of how severe the incident might be is followed by notification of the incident to stakeholders.

Question 22

disaster recovery planning

Answer 22

Disaster recovery planning entails many pieces. Most important is the assignment of roles and responsibilities. Having individuals assigned to tasks helps to avoid overlap and confusion during an incident.

Question 23

order of restoration

Answer 23

Order of restoration is a guideline for restoring systems after an incident. Using such a guideline helps dependent systems start up in the proper order.

Question 24

preservation of evidence

Answer 24

Preservation of evidence is a concept and process that is used during an incident investigation. Preservation of evidence is used to protect evidence from damage or tampering.