Key Concepts 7.6 Conduct incident management Flashcards
Domain 7 (17 cards)
- Detection
- Response
- Mitigation
- Reporting
- Recovery
- Remediation
- Lessons Learned
CISSP Incident Management Process
The initial assessment and prioritization of an incident. Determining the severity
and scope of the incident.
Triage
Attempts to limit and control the incident from spreading. For example, disconnecting infected hosts from the network.
Containment
Steps taken to reduce the severity of the incident. Is the phase
where the organization begins to implement actions necessary to fix the incident. For example, blocking malicious IP addresses with a firewall.
Mitigation
Restoring affected systems and services back to normal operations. For example, restoring data from backups and bringing production systems back online.
Recovery
Removing the underlying causes of the incident to prevent reoccurrence.
For example, patching vulnerable software.
Remediation
Removing artifacts of the incident like malware and backdoors. For example, completely wiping and reinstalling compromised systems.
Eradication
Focuses on monitoring and identifying potential incidents through alerts and user
reports.
Detection
team members investigate the incident, assess the damage, collect
evidence, report the incident, and begin to perform recovery procedures. Faster incident
response results in greater chance of reducing scope and damage of an incident.
Response
Focuses on containing the incident and taking steps to limit its impact.
Mitigation
involves documenting and communicating security incidents both internally
within an organization and potentially to external parties. Requirements will vary, depending
on the severity, nature of the incident, and applicable regulations.
Reporting
- Report audience(s): The reporting hierarchy should be clearly defined within the organization’s
incident response plan. This might involve initial reports to a Security Operations
Center (SOC) or IT team, followed by escalation to management depending on the
severity. - What to report: Incident reports should capture critical details like the type of incident,
date and time, affected systems, potential impact, and containment steps taken. - Timeliness: Prompt reporting is essential. Delays can hinder containment efforts and
complicate investigations. - Format: Language and level of detail will vary by audience.
Internal Reporting
- Government Regulations: Several regulations mandate reporting security incidents to
government authorities or affected individuals. Examples include:
– HIPAA (Health Insurance Portability and Accountability Act): Requires reporting
breaches of protected health information (PHI).
– GDPR (General Data Protection Regulation): Requires reporting personal data
breaches to regulatory authorities and potentially affected individuals.
– PCI DSS (Payment Card Industry Data Security Standard): Requires reporting
security incidents involving cardholder data to payment brands and acquiring banks. - Impact on Stakeholders: Consider the potential impact on stakeholders like customers,
partners, and investors when deciding the extent of external reporting. Transparency is
important, but avoid unnecessary alarm. - Legal Considerations: Consult with legal counsel to ensure reports comply with relevant
regulations and avoid jeopardizing potential legal actions.
External Reporting
focuses on restoring affected systems and services to normal operations.
Recovery
Identifying and mitigating vulnerabilities that led to the incident.
Remediation
Is the process that focuses on identifying the underlying cause for an issue or compromise.
Root cause analysis
In this phase, the organization performs a retrospective examination of the incident, identifying
improvements to policies and controls that may prevent future recurrence.
Lessons Learned
