CISM: Domain 4 - Module 1

This CISM domain covers information security incident management and how security incident response, business continuity planning, and disaster recovery planning can be used together to respond to security breaches.

We look at the importance of goals and how to use them so that in a crisis, you already know how to react. We then look at the roles and responsibilities that should be assigned within an organization for handling incidents. Finally, we look at the policies, standards, and procedures that are going to be used in this process of responding to a security incident.

Learning Objectives

  • Obtain a solid understanding of security incident management
  • Set goals for responding to incidents
  • Understand the additional resources that help for managing incidents

Intended Audience

This course is intended for anyone preparing for the Certified Information Security Management exam or anyone who is simply interested in improving their knowledge of information security governance.


Before taking this course, we recommend taking the CISM Foundations learning path first.


We are now going to cover the fourth and final domain of the CISM exam preparation seminar, Domain Four, Information Security Incident Management. While security incident response, business continuity planning, and disaster recovery planning are often considered to be separate disciplines, they do share a common objective, the best possible continuity of business operations during and after a threat event.

There is a wide variety of threat events that, if realized, will call upon one or more of these three disciplines in response. Security incident response, business continuity, and disaster recovery all require advanced planning so that the organization will have discussed, documented, and outlined the responses required for the various types of incidents in advance of their occurrence.

Risk assessments are the foundation of this planning for all three disciplines as it is necessary to discover relevant risks and to establish priorities during response. One of the byproducts of planning security incident response, business continuity, and disaster recovery is the improvement of systems and processes.

Primarily, the planning efforts reveal improvement opportunities that, when implemented, will result in the information systems becoming more secure and resilient. These improvements generally mean that incidents are either less likely to occur or they will have less impact on the organization when they do.

A security incident can be caused by any one of several agents or actions. These can include computer account abuse, device or network trespass, information exposure or theft, malware, denial of service or distributed denial of service, loss of critical information, device theft, sabotage, or any other impact that disrupts the confidentiality, integrity, and availability of an enterprise system or data.

So when we look at the departments and other organizational entities that might be involved in an incident response plan, they can include any or all of these, IT obviously, internal audit, HR, legal, physical, and the rest. Some of these will be directly involved as contributors to the incident response plan or even participants in the recovery efforts. And some will be what you would call ex officio members, where they get information and are kept in the information loops but aren't directly involved in the incident response unless, of course, their department is directly concerned with the event itself.

So here we have some examples of typical types of events and the typical responses that we have. Natural disasters, we'll typically call upon the disaster continuity and disaster recovery efforts, man-made disasters, again, business continuity and likely the disaster recovery efforts. Theft of information, more probably we'll call upon the security incident response. And deliberate corruption of information or systems by an attacker, it may involve business continuity, but it will certainly involve security incident response teams.

So let's take a look at a graphical relationship between these two. We start with our normal operations there at the far left, and then we have an incident onset or a disaster onset, and there's nothing to say that the two couldn't be the same. Then we have the cross impact of incidents and disasters to the incident response plans, the business continuity plans, and the disaster recovery plans.

Once they have successfully accomplished their objectives, the systems and operations are recovered, and normal operations are resumed. So the incident management actions that take place during any of these will include things before, during, and after the incidents themselves. And they're designed with the following goals in mind, they need to provide a way to attempt for us to minimize the impact.

They should provide enough information to make right decisions at any point where a decision must be made as to the next step in the course. We want to try to maintain and restore continuity of services as best we can. This will be limited, of course, based on the circumstances. Ideally, these should provide for defense against future attacks or an extension or expansion of the current one, and there should be elements that provide for deterrence.

Now, any type of an event can disrupt business operations and become a more severe incident or even a disaster. Risk assessments and business impact analyses are used to prioritize response activities around the business priorities. And it's increasingly important to develop effective incident management plans so that we can conduct these things with great control and ensure that nothing is missed.

So let's cover some basic incident response concepts. These will involve a handling process that includes detection and reporting of incidents, triage of incidents, the analysis of them, and incident response actions. Now, the incident management process ensures impact of incidents is minimized, or at least it attempts to make sure that they are minimized.

The recording of the incident is useful for legal or disciplinary action as well as for lessons learned. Prioritization ensures that work is allocated properly. Incident response carries out various actions including mitigation, containment, and recovery.

So let's think back to the eight security principles we covered in section one. The incident response team must understand all of these. The team must also understand vulnerabilities, and that includes software issues like design flaws, man-in-the-middle attacks, malicious code, and all of the rest.

The team must also understand physical security issues and social engineering and the contributions they can make to causation of incidents and to exacerbation of incidents and how they can be counteracted. The team members should also have fundamental knowledge of how network protocols operate, such as the common TCP, IP, UDP, ICMP, and all the rest.

Team members need to be well-versed in operating system issues for Windows, Mac, Linux, or any other. Prior to provisioning, the system should have gone through a hardening process, configuration file reviews, privilege management processes, and so on. Team members must be familiar with common attack methods and how to counteract them. They should also know about malicious code, how it's propagated, and how it can be counteracted.

Members of the team should possess programming skills because it can help them detect vulnerabilities as well as running various scripts that can help them resolve the various issues they encounter. They will also need to be able to understand the coding and the practices of the developers in case the incident involves program modifications.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.