Writing Assignment: Module 04 Flashcards
What are the steps of the overall IR development process?
Preparation, detection and analysis, containment, eradication and recovery, and post-incident activity
What are the general stages followed by the IRP team?
*Form the IR planning committee
*Develop the IR planning policy
*Integrate the BIA
*Identify preventive controls
*Organize the Computer Security Incident Response Team
*Create IR strategies and procedures
*Develop the IR plan
*Ensure plan, testing, training, and exercises
*Ensure plan maintenance
What are two external sources for performing IRP that were mentioned in this module?
The National Institute of Standards and Technology (NIST) and CERT coordinating center
What does the organizational phase of the IRP process begin with?
Begins with staffing the IR planning committee
Who are the typical stakeholders of the IR process?
-General management
-IT and InfoSec management
-Organizational departments
*Legal department
*Human resources department (HR)
*Public relations (PR)
*Departments with an information security overlap
-General end users, key business partners, contractors, temporary employee agencies, consultants
Which individuals should be assembled to form the IRP team?
Information technology (IT) involvement
Information security involvement
CPMT organizational management representatives
Team leader: liaison between IR team and CPMT
Champion: chief information officer (CIO) or vice president of IT
What should be among the first deliverables created by the IR planning committee?
IR policy
-First deliverable prepared by the IRP committee
-Similar in structure to other organization policies
What is the primary function of the IR policy?
-Defines team operations
-Articulates response to various types of incidents
-Advises end users on how to contribute to the effective response
Rather than contributing to the problem at hand
In order for IP policy to be effective, what group must give its full support?
Important to gain support top management and be clearly understood by all affected parties.
What are the essential attributes of an IR policy document?
*Statement of management commitment
*Purpose and objectives of the policy
*Scope of the policy
*Definition of Information security incidents
* Organizational structure and delineation of roles
*Prioritization or severity ratings of incidents
*Performance measures
*Reporting and contact forms
What is an incident response plan (IR plan)?
Detailed set of processes and procedures
Anticipate, detect, and mitigate unexpected event effects that might compromise information resources and assets
What characteristics must be present if an adverse event is to be considered an incident?
- If is directed against information assets owned or operated by the organization.
- It has a realistic chance of success
- It threatens the confidentiality, integrity, or availability of the information resources and assets
What are the three sets of time-based procedures that are often part of the IR planning process?
Addressing the steps taken before, during, and after an incident
What is meant by the “trigger” for an IR-related plan?
Circumstance causing IR team activation and IR plan initiation
What is a “reaction force” in terms of IR planning?
IRP team determines individuals needed to respond to each particular end case
Unique team for each attack scenario end case
Team leader specified in IR plan
Resources and skill sets added as necessary
IR plan specifies the scribe (archivist or historian)
Develops and maintains event log used in reviewing actions during the after-action review
CSIRT reaction force
The resulting incident team
