As the ism responding to a major incident, which of the following should take priority?

Incident Response Procedures
Incident response procedures (IRP) enable a business to:
- respond effectively when an incident occurs (ใช้รับมือ).
- to continue operations in the event of disruption (ใช้ดำเนินการต่อ).
- survive interruptions or security breaches in information systems.

Plans must be:
- Clearly documented.
- Readily accessible.
- Based on the long-range IT plan.
- Consistent with the overall (ร้อตาม BCP และ Security Strategy) business continuity and security strategies.

The process of developing and maintaining an appropriate plan for the defined scope of incident management and response should include:
- Incident Response Planning -> security breach/interrupt
- Business Continuity Planning -> interrupt
- Disaster Recovery Planning -> กู้คืนระบบ

Concepts
Incident handling is one service that involves all the processes or tasks associated with handling events and incidents. It involves multiple functions:
- Detection and reporting -> พบแล้วแจ้ง
- Triage -> Classify and priority
- Analysis -> วิเคราะห์
- Incident response -> ตอบสนอง

Incident response is the last step in an incident handling process.
It encompasses:
- Planning, coordination, and execution of any appropriate mitigation.
- Recovery strategies and actions.

Responsibilities
The ISM's incident response-related responsibilities include:
- Developing the information security incident management and response plans.
- Handling and coordinating information security incident response activities

and

.
- Validating, verifying and reporting of protective or countermeasure solutions, both technical and administrative.
- Planning, budgeting and program development for all matters related to information security incident management and response.

Incident response goals include:
- Containing and minimizing the effects of the incident so that damage and losses do not escalate out of control.
- Notifying the appropriate people for the purpose of recovery or to provide needed information.
- Recovering quickly and efficiently from security incidents.
- Responding systematically and decreasing the likelihood of recurrence.
- Balancing operational and security processes.
- Dealing with legal and law enforcement-related issues.

The ISM must define what constitutes a security-related incident: (by Scenario)
- Malicious code attacks
- Unauthorized access to IT or information resources
- Unauthorized utilization of services
- Unauthorized changes to systems, network devices or information
- Denial of service
- Misuse
- Surveillance and espionage (โจรกรรม)
- Hoaxes/social engineering

Senior Management Commitment
- Senior management commitment is critical to the success of incident management and response.
- Incident management and response:
   o Is a component of risk management  -> ส่วนหนึ่งของ risk management
   o Needs the same level of support from the top

Incident Management Resources
- Develop a clear scope and objective  [ก่อน]
- Develop an implementation strategy   [หลัง]

Policies and Standards
The incident response plan must be backed up with well-defined policies, standards and procedures. This helps:
- Ensure activities are aligned with Incident Management Team (IMT) mission
- Set correct expectations -> กำหนดเป้าหมายได้ตรง
- Provide guidance on operational needs
- Maintain consistency and reliability of services
- Clearly understand roles and responsibilities
- Set requirements for identified alternates for all important functions -> resource of requirement

Incident Response Technology Concepts
IRT members should be familiar with:
- Basic Security Principles

IRT members must understand the impact to organizational system, including:
- Security vulnerabilities/weaknesses
- Internet
- Operating system (s)
- Malicious code
- Programming skills

Personnel
Composition of IMT:
- Information Security Manager
- Steering Committee/Advisory Board
- Perm/Dedicated Team Members
- Virtual/Temp Team Members

Team organizational types: (ORG syles)
- Centralizaed IRT
- Distributed IRT
- Coordinating IRT
- Outsourced IRT

Awareness and Education
Incident response training must include the following target groups:
- End users
- Management
- IMT team
- General IT team -> ระบบ custody

Detailed Plan of Action for Incident Management
- The incident management action plan is also known as the incident response plan (IRP).
- There are a number of approaches to developing the IRP.
- In the CMU/SEI technical report titled Defining Incident Management Processes, the approach is as follows:
1. Prepare/improve/sustain
2. Protect infrastructure
3. Detect events
4. Triage events (priority)
5. Respond

Developing an Incident Response Plan
CIAC (and later the SANS Institute) propose the following incident response phases:
1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons learned

1. Preparation
- This phase prepares an organization to develop an incident response plan prior to an incident. Sufficient preparation facilitates smooth execution.
- Activities in this phase include:
   o Establishing an approach to handle incidents
   o Establishing policy and warning banners in information system to deter intruders and allow information collection.
   o Establishing communication plan to stakeholders.
   o Developing criteria on when to report incident to authorities.
   o Developing a process to activate the incident management team.
   o Establishing a secure location to execute the incident response plan.
   o Ensuring equipment needed is available.

2. Identification
- This phase aims to verify if an incident has happened and find out more details about the incident. Reports on possible incidents may come from information systems, end users or other organizations.
Not all reports are valid incidents, as they may be false alarms or may not qualify as an incident.
- Activities in this phase include:
   o Assigning ownership of an incident or potential incident to an incident handler.
   o Verifying that report or events qualify as an incident.
   o Establishing chain of custody during identification when handling potential evidence.
   o Determining the severity of an incident and escalating it as necessary.

3. Containment
- After an incident has been identified and confirmed, the IMT is activated and information from the incident handler is shared.
- The team will conduct a detailed assessment and contact the system owner or business manager of the affected information systems/assets to coordinate further action.
- The action taken in this phase is to limit the exposure. Activities in this phase include:
   o Activating the incident management/response team to contain the incident.
   o Notifying appropriate stakeholders affected by the incident.
   o Obtaining agreement on actions taken that may affect availability of a service or risks of the containment process.
   o Getting the IT representative and relevant virtual team members involved to implement containment procedures.
   o Obtaining and preserving evidence.
   o Documenting and taking backups of actions from this phase onward.
   o Controlling and managing communication to the public by the public relations team.

4. Eradication
- When containment measures have been deployed, it is time to determine the root cause of the incident and eradicate it.
- Eradication can be done in a number of ways:
   o restoring backups to achieve a clean state of the system,
   o removing the root cause
   o improving defenses
   o performing vulnerability analysis to find further potential damage from the same root cause.
- Activities in this phase include:
   o Determining the signs and cause of incidents
   o Locating the most recent version of backups or alternative solutions
   o Removing the root cause. In the event of worm or virus infection, it can be removed by deploying appropriate patches and updated antivirus software.
   o Improving defenses by implementing protection techniques
   o Performing vulnerability analysis to find new vulnerabilities introduced by the root cause

5. Recovery
- This phase ensure that affected systems or services are restored to a condition specified in the service delivery objectives (SDO - ระยะเวลาที่เปลี่ยนไปใช้ระบบสำรอง) or business continuity plan (BCP - ระยะเวลากู้คืนระบบ). The time constraint up to this phase is documented in the RTO.
- Activities in this phase include:
   o Restoring operations to normal
   o Validating that actions taken on restored systems where successful
   o Getting involvement of system owners to test the system
   o Facilitating system owners to declare normal operation

6. Lessons learned
- At the end of the incident response process, a report should be developed to share what has happened, what measures were taken and the results after the plan was executed.
- The report should contain lesson learned that provide the IMT and other stakeholders valuable learning points of what could have been done better.
- These lessons should be developed into a plan to enhance the incident management capability and the documentation of the incident response plan. Activities in this phase include:
   o Writing the incident report
   o Analyzing issues encountered during incident responses efforts
   o Proposing improvement based on issues encountered
   o Presenting the report to relevant stakeholders

Gap Analysis - Basis for an Incident Response Plan
- Gap analysis - compares current incident response capabilities with the desired level.
- By comparing the two levels, the following may be identified:
   o Processes that need to be improved to be more efficient and effective
   o Resource needed to achieve the objectives for the incident response capability.

Business Impact Assessment
- A BIA should:
   o Determine the loss to the organization resulting from a function being unavailable
   o Establish the escalation of that loss over time
   o Identify the minimum resources needed for recovery
   o Prioritize the recovery of processes and supporting systems
- Create report to aide stakeholders in understanding what impact an incident would have on the business.
- A successful BIA requires participation from:
   o Senior management  -> approved
   o IT  -> custodian
   o End-user personnel  -> owner

Incident Management and Response Teams
Number of teams depends upon size of organization and magnitude of operations - examples include:
- The emergency action team  -> เข้าถึงจุดเกิดเหตุ
- Damage assessment team -> ประเมิน
- Emergency management team -> สั่งการ
- Relocation team  -> ย้าย Site
- Security team  -> ทีม security

Recovery Site
Types of offsite backup hardware facilities available include:
- Hot sites  -> มีระบบสำคัญ
- Warm sites  -> มีอุปกรณ์สำคัญ
- Cold sites  -> ห้องเปล่า
- Mobile sites -> รถ truck
- Duplicate sites -> เหมือน site หลัก
- Mirror sites -> ทำคู่ขนานกับระบบหลัก

Basis for Recovery Site Selections
Response and recovery strategy should be based on the following considerations:
- Interruption window -> Gap
- RTOs -> ระบบ
- RPOs -> Data
- Services delivery objectives (SDOs) -> ระยะสลับไปใช้ Alternative sites
- Maximum tolerable outages (MTOs) -> ระยะที่ Alternative sites สามารถใช้งานได้นานที่สุด
- Proximity factors -> สิ่งที่เกิดขึ้นคล้ายๆกัน ในพื้นที่แถบเดียวกัน
- Location -> ระยะห่างระหว่างสถานที่ๆ เกิดเหตุ กับ |Alternative sites
- Nature of probable disruptions -> ธรรมชาติของเหตุ เช่นระยะเวลาเกิดเหตุจะนานกี่ชั่วโมง

Reciprocal Agreements
Alternatives available for securing backup hardware and physical facilities include:
- A vendor or third party
- Off-the-shelf -- to make use of this approach, several strategies must be employed:
   o Avoiding the use of unusual and hard-to-get equipment
   o Regularly updating equipment to keep current
   o Maintaining software compatibility to permit the operation of newer equipment

Impact Analysis with Incident Response
The ISM needs to:
- Oversee the development of response and recovery plans* to ensure that they are properly designed and implemented.
- Ensure resources required to continue the business are identified and recorded.
- Identify and validate response and recovery strategies.
- Obtain senior management approval of strategies.
- Oversee the development of comprehensive response and recovery plans.

High-Availability Considerations
Plan must also address fault tolerant systems:
- Fail safe servers using clusters or load balancing.
- Redundant Array of Inexpensive Disks (RAID)

Types of Tests
Tests that are progressively more challenging can include:
- Table-top walk-through of the plans
- Table-top walk-through with mock disaster scenarios
- Testing the infrastructure and communication components of the recovery plan
- Testing the infrastructure and recovery of the critical
- applications
- Testing the infrastructure, critical applications and involvement of the end users
- Full restoration and recovery tests with some personnel unfamiliar with the systems
- Surprise tests

==============================================================
Practice Question 4-1
The PRIMARY goal of a postincident review is to:
   a. gather evidence for subsequent legal action.
   b. identify individuals who failed to take appropriate action.
   c. prepare a report on the incident for management.
   d. derive ways to improve the response process.

Practice Question 4-2
Which of the following is the MOST appropriate quality that an incident handler should possess?
   a. Presentation skill for management report
   b. Ability to follow policy and procedures
   c. Integrity
   d. Ability to cope with stress

Practice Question 4-3
What is the PRIMARY reason for conducting triage?
   a. Limited resources in incident handling
   b. As a part of the mandatory process in incident handling
   c. To mitigate an incident
   d. To detect an incident

Practice Question 4-4
Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a hot site operated by a third party?
   a. Cost to rebuild information processing facilities
   b. Incremental daily cost of losing different systems
   c. Location and cost of commercial recovery facilities
   d. Estimated annualized loss expectancy (ALE) from key risks

Practice Question 4-5
Which of the following documents should be contained in a computer incident response team (CIRT) manual?
   a. Risk assessment
   b. Severity criteria
   c. Employee phone directory
   d. Table of all backup files

Practice Question 4-6
Which of the following types of insurance coverage would protect an organization against dishonest or fraudulent behavior by its own employees? (ความไม่ซื้อสัตย์ของพนักงาน)
   a. Fidelity
   b. Business interruption
   c. Valuable papers and records
   d. Business continuity

Practice Question 4-7
Which of the following practices would BEST ensure the adequacy of a disaster recovery plan?
   a. Regular reviews of recovery plan information
   b. Table top walk-through of disaster recovery plans
   c. Regular recovery exercises using expert personnel
   d. Regular audits of disaster recovery facilities

Practice Question 4-8
Which of the following procedures would provide the BEST protection if an intruder or malicious program has gained superuser (e.g., root) access to a system?
   a. Prevent the system administrator(s) from accessing the system until it can be shown that they were not he accackers.
   b. Inspect the system and intrusion detection output to identify all changes and then undo them.
   c. Rebuild the system using original media.
   d. Change all passwords then resume normal operations.

Practice Question 4-9
Which of the following is likely to be the MOST significant challenge when developing an incident management plan?
   a. Plan does not align with organizational goals
   b. Inplementation of log centralization, correlation and event tracking
   c. Development of incident metrics
   d. Lack of management support and organizational consensus

Practice Question 4-10
If a forensics copy of a hard drive is needed, the copied data is MOST defensible from a legal standpoint if which of the following is used?
   a. A compressed copy of all contents of the hard drive
   b. A copy that includes all files and directories
   c. A bit-by-bit copy of all data
   d. An encrypted copy of all contents of the hard drive

Which of the following actions is a priority to take when a server is infected with a virus?

Which of the following is the first step in developing an incident response plan?

Which of the following is most important to consider when determining the effectiveness of the information security governance program?

Which of the following is the most significant challenge when developing an incident management plan?