Resources that Help


Incident Management
The Goal

The course is part of this learning path

Start course

This CISM domain covers information security incident management and how security incident response, business continuity planning, and disaster recovery planning can be used together to respond to security breaches.

We look at the importance of goals and how to use them so that in a crisis, you already know how to react. We then look at the roles and responsibilities that should be assigned within an organization for handling incidents. Finally, we look at the policies, standards, and procedures that are going to be used in this process of responding to a security incident.

Learning Objectives

  • Obtain a solid understanding of security incident management
  • Set goals for responding to incidents
  • Understand the additional resources that help for managing incidents

Intended Audience

This course is intended for anyone preparing for the Certified Information Security Management exam or anyone who is simply interested in improving their knowledge of information security governance.


Before taking this course, we recommend taking the CISM Foundations learning path first.


So now we're gonna cover section 56 in which we're going to look at incident management and the resources that help. As with all things we've discussed in this course, we have to develop policies and procedures and the incident response plan must document the policies, standards, and procedures that are going to be used in this process.

We have to be sure that all of the activities are aligned with the incident response team mission, which should be reflective of the overall security program and its alignment with the business mission. These will set expectations and provide guidance for all operational needs.

Part of our policy and standard setting will be to maintain consistency of services when and how possible. It'll make clear all of the roles and the responsibilities associated with them for all IRT members. And it will set requirements for backups and alternates.

There are incident management systems that we can use. These automated incident management systems have become very popular and they can provide real value in managing the course of an incident. These will capture information that can be done in real time. They can identify pending incidents, and as they increase in probability or priority, they can elevate them to earlier and sooner action.

Part of what they're designed to do is send alerts when criteria are met or thresholds exceeded, and they can operate in either a distributed or centralized mode.

Now security information and event management system is the combination of the security information and the security event management capabilities. This is an example of a centralized system that can provide distributed notification and alerting. It captures security information and event management information. They typically gather logs from across the network and combine into a single database in which time these records are combined, normalized, and correlated so that incidents can be prioritized according to business impact and we can see the sequence of events that makes them up. These systems can track the status of incidents as they happen and provide alerting. And they should be based on machine learning and the implementation of effective guidance and policy.

Now the primary benefits of a system like this is that operating costs can go down due to this increased level of automation. It can enable decreased response times, which in turn mean lower costs due to quicker containment and recovery. Another set of critical activities will be the audits that will be performed.

First, the audits, as we know, will ensure that the organization is in compliance. Second, the internal audits carried out are carried out by employed specialists or by skilled employees who examine internal activities and systems for any sort gaps or discrepancies. An external audit is always executed by an unbiased third party. And these are typically used to prove compliance with legal or regulatory requirements and they may be required contractually or legally. The audits can validate compliance in the face of an event meaning that even though the event occurred, we were not out of compliance and as such, may not have made any contribution to the event itself. The audit can show the presence of gaps and response plans. Hopefully these will be identified before the response plan actually has to be employed.

Now the outsourced security providers are a third party that we hire to do this job when we don't have a dedicated resource in house. Now outsourcing IT and incident management to the same vendor has its advantages. It does provide for tighter integration. However, we have to consider the following. We have to match the organization's incident number to the vendor's.

So there is a question of correlation and records matching. We have to integrate your organization's change management with the vendor's to ensure that again, we're all on the same page and have the same reading of events and activities. We also have to be sure that our vendor, working for us, is performing periodic review of incidents to make sure that they maintain a high level of awareness and preparedness.

Now we move into section 57 and we discussed the other side of the same issue where we discuss constraints that hurt. Constraints in the area of incident management normally involve insufficient resources for detection, triage, and response, alack of detection mechanisms and improper placement, ineffective are missing lines of communication for alerting and escalation, a lack of training for skilled personnel to enable them to better respond, and a misaligned strategy that does not focus on event attributes and priorities as established by the business.

With intrusions, breaches and attacks increasing in prevalence, speed, skilled triage and effective management are more crucial than ever. Lacking the resources and skilled team members are among the most critical constraints that have to be addressed and resolved.

So we come to section 58 and we discuss the action plan. Once we have all of our planning done, now comes implementation. And all of the good planning that we've put ourselves through and all of the great skills and training that we've got can be undermined if the implementation plan is not performed correctly. So we must plan the implementation to seek, to create a compatible integration of the incident response activity with operations.

By integrating the IR function, it becomes an intrinsic part of the operation, such that response, triage, and reduction become a more, quote unquote, natural function. Proper integration ensures appropriate alignment of response efforts and ensures that they align business priorities and enables adjustment and adaptation as circumstances and changes in those business priorities may warrant.

This process ensures that incident response is adopted as a mission critical function and it's not relegated to secondary status without significant priority. We come now to section 59 in our information security incident management program and we're going to discuss metrics and monitoring.

So as with all of the components of our security management program, we will need to establish key performance indicators and key golden indicators for incident management. Some typical ones for incident management would be the total number of reported incidents, The total number of detected incidents, which may be different than the total number of reported incidents, the number of days without a reported incident, and the average time to resolve each one.

Now these KPIs and KGIs must be well-defined and agreed to by stakeholders. So here we come to one of our concluding sections in which we will examine information security incident management and what success would look like.

So let us start with the question, if you have a good incident management solution, you should be equipped to deal effectively with unanticipated events. Incidents usually would be detected quickly. The incident response decisions are well-documented. Response procedures can change based on asset criticality or sensitivity during the incident.

Employees will know how to recognize and report incidents and to whom. Security will be implemented in a cost-effective manner. And response capabilities will be regularly tested and measured. However, if you have a great incident response plan, all of the previous statements shown on the previous slide will be true. Risk will be maintained within acceptable limits.

Response teams are equipped, trained, and in place ready to move at a moment's notice. The incident response plans themselves are in place and understood by all stakeholders. Root causes are fixed to enable an acceptable interruption window.

Communication flows to stakeholders as documented and in a timely manner. The lessons learned are documented, captured and shared with stakeholders, and then folded into our learning process to improve our next incident response. And internal and external stakeholders are confident that the business has control over these risks.

So we've come to the conclusion of our CISM review seminar for exam preparation. In this second half of our presentation of this course, we have covered the four domains and here are the highlights of each. Information security governance, how to understand the operational context in order to design and implement an effective information security management program, information security risk management, in which we highlighted approaches to risk management, strategy development, process management, and effective communications.

Information security program development and management, in which we discussed frameworks, operational alignment, administration, audit, assessment, and metrics and information security incident management in which we discuss the incident management process of response, response planning, breach management, business continuity and disaster recovery planning, and the testing and execution.

Across all four, we have brought out the most important concepts, approaches and frameworks and operations activities contained within the CISM. So we want to thank you for participating in this review seminar. We hope this has given you a very strong boost in your preparations to take the CISM certification examination.

This certification is one of the most in-demand certifications available today. Those who attain it demonstrate their grasp of the most important aspects of the information security programs and their appreciation of the interrelationship between such programs and the business they're designed to protect.

We encourage you to continue your preparations through independent study to solidify the concepts and methods we've discussed here. As you would expect, the CISM exam is challenging, but it is a challenge worthy of your best efforts to ensure your success.

Again, our thanks for joining us on this journey to the CISM and we at the Cloud Academy wish you success with the CISM exam and your future endeavors.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.