Incident Response (IR)

What is the role of Incident Response (IR) in the overall ISM framework?

IR is a core activity in the Management phase of ISM. It's a systematic process for dealing with a computer security incident and is a vital part of "good management".

What is the fundamental relationship between IR and Risk Management?

The entire IR process is designed to manage the risk of an incident and minimize its impact. Critically, the post-incident process of Lessons Learned must feed directly back into the Risk Management process to improve security measures.

What are the 5 phases of NIST CSF

Identify: Establish an organizational understanding of cybersecurity risks to systems, assets, data, and capabilities, including governance, risk assessment, and supply chain risk.

Protect: Develop and implement safeguards to ensure delivery of critical services and protect systems and assets from cyber threats.

Detect: Implement processes to identify the occurrence of a cybersecurity event in a timely manner.

Respond: Take action to contain the impact of a detected cybersecurity incident, including communication, analysis, and mitigation.

Recover: Develop and implement plans to restore capabilities or services impaired due to a cybersecurity incident

List and describe the four stages of the NIST Incident Handling Lifecycle.

1. Preparation: Planning, policy, team setup, and defining what constitutes an incident.

2. Detection and Analysis: Monitoring systems, identifying potential incidents (security events), and analyzing them to confirm if an attack is occurring.

3. Containment, Eradication, and Recovery: Stopping the spread (containment), removing the threat (eradication), and restoring systems to normal operation (recovery).

4. Post-Incident Activity: Documenting lessons learned and feeding information back into the preparation phase to improve future respons

Define Digital Forensics in the context of Incident Response.

To apply science to law to produce evidence for court or to provide information in an investigation

List and briefly explain the four main stages of the forensics process (Collection, Examination, Analysis, Reporting).

1. Collection (media): Identifying, recording, and labelling data while maintaining the integrity of data.

2. Examination (data): Processing data (manually/automatically) to extract interesting data, also maintaining integrity.

3. Analysis (information): Establishing the chain of events and identifying attackers/victims.

4. Reporting (evidence): Documenting results and the analysis process thoroughly, often for presentation in court

Beyond criminal investigation, what is another key use of forensics in "good management"?

Forensics is used for operational troubleshooting, data recovery following accidents, data acquisition (e.g., from retired staff), and due diligence for regulatory compliance

What is the primary Legal/Ethical constraint on investigations regarding data subjects?

The Privacy of personal data. Investigations must consider the DPA and Investigatory Powers legislation

What two ethical requirements must investigators follow when using forensics?

The investigation must state the reasonable and appropriate use of forensics and must ensure adherence to the ACPO Principles for Digital Evidence

What are the Personnel issues that create ethical/operational constraints during an investigation?

Security Management must consider:

1. Training and Skills

2. Willing to engage in the potentially stressful activities involved in high-stakes investigations