Section A Engagement Life Cycle Management

Question 1

Define Incident

Answer 1

an adverse event in an information system or network, or the threat of an occurrence of such an event

Question 2

Define Event

Answer 2

Anything that happens on a computer system from installation of a program, a fault in a component or a user logging on

Question 3

Buisness Continuity Management is defined in ISO 22301 as

Answer 3

The capability of an organisation to continue to delivery of the products or services at acceptable pre-defined levels following a disruptive incident

Question 4

demmings cycle

Answer 4

Plan, Do, Check, Act

Question 5

Four critical steps to BCM

Answer 5

1 - Identify what you need to protect
2 - Determine how you are going to protect it
3 - Validate and test
4 - Educate Employees

Question 6

Recovery Time Objective (RTO)

Answer 6

the period of time following an incident within which a product or service or an activity must be resumed, or resources must be recovered

Question 7

Maximum Tolerable Period of Disruption (MTPD)

Answer 7

the time it would take for adverse impacts, which might arise as a result of not providing a product/service or performing an activity, to become unacceptable

Question 8

Recovery Point Objective (RPO)

Answer 8

the point to which information used by an activity must be restored to enable the activity to operate on resumption

Question 9

Maximum Tolerable Data Loss (MTDL)

Answer 9

maximum loss of information (electronic and other data) that an organisation can tolerate. The age of the data could make operational recovery impossible or the value of the lost data so substantial as to put business viability at risk

Question 10

4 steps of Incident Investigation

Answer 10

Preparation.
Detection, Collection and Analysis.
Containment, Eradication and Recovery.
Post Incident Activity.

Question 11

Incident investigation - Preperation

Answer 11

Establishing security plans and controls. These must be communicated to all personnel who need to know them.
Regular reviews and tests to ensure the plans are relevant and up to date with evolving threats.
Ensure the plans have direct impact on potential incidents in your organisation.
Swiftly dealing with an incident reduces the risk to the investigation and any potential evidence.

Question 12

Incident Investigation - Detection

Answer 12

The
Detection of an event involves the observation and reporting of irregularities or suspicious activities
within the business. An event might be reviewed by the Incident Response Team to evaluate whether it
warrants treatment as an incident. The Incident Response Team initiates the tasks of data collection from
affected areas and systems and perform data analysis
During this phase, it is imperative that you adhere to your formal policies and procedures. For example,
you need to make sure that your local forensic processes are followed (such as those published by the
National Police Chiefs Council in the UK). We’ll cover this in more detail later in this topic.
The Incident Response Team who are collecting the data must make sure the data integrity is maintained,
protecting the original copy and all working copies of the evidence.
Once all evidence is collected, analysis can begin.

Question 13

Incident Investigation - Containment, Eradication and recovery

Answer 13

Once the analysis process has been completed, the Incident Response Team should begin
Containment
of the problem, seeking to resolve it as effectively as possible. Containment is vital in order to minimise any
impact on the business, including the supply chain. However, during containment, you must not lose vital
sources of evidence, such as volatile memory. Containment and Eradication should protect service
integrity, sensitive data, hardware and software. Recovery is a holistic approach to returning the business
to normal operations.
The extent of the incident and its impact (for example, on IT systems and their users) can affect how closely
a process can be followed. Most of the time, recovery involves backing up the unaffected data to use on
the new systems. Operating systems and applications are often freshly installed to avoid contamination
and to ensure all the latest patches are installed.

Question 14

Incident Investigation - Post Incident Activity

Answer 14

The
Post Incident Activity phase involves documenting, reporting and reviewing the incident.
Documentation includes the paper trail from when the incident was reported through to closure, along
with any relevant audit logs that were compiled. Analysis methods, techniques, methodologies and
additional findings should be included to make sure results can be repeated. All stakeholders and
departments should have access to the final reports.

Question 15

NPCC Principle 1

Answer 15

No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court

Question 16

NPCC Principle 2

Answer 16

In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Question 17

Npcc principle 3

Answer 17

An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Question 18

NPCC principle 4

Answer 18

The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.