Domain 4: Risk, Response, and Recovery

Terms and Definitions

Asset: An item or entitiy of quantitative or qualitative value to an organization. Assets may be tangible (physical property, intellectual property) or intangible (processes, business relationships).

Threat: Any agent or process that could harm the value of an asset by affecting its confidentiality, integrity, or availability in terms of disclosing, modification or corruption, destruction, or denying access.

Vulnerability: A weakness that may be exploited by a threat for the purpose of harming an asset. A vulnerability may be a flaw in the design or implementation of a system, policy, process, or procedure.

Control: A policy or procedure used to mitigate potential risks. Controls may be administrative, technical, or physical.

Countermeasure: A control used to mitigate the affect of an exploit upon an asset.

Safeguard: A control used to limit exposure of an asset to a threat before an exploit has occurred.

Exposure: The instance of an asset being susceptible to losses from a threat.

Exposure Factor: The percentage of loss (of value) to a specific assets due to exposure to a specific threat.

Risk Management: The process of identifying the severity of potential risks, identifying vulnerabilities, and assigning priorities to each risk. Performed to allow management decide on appropriate controls (safeguards and countermeasures) to implement for acceptably mitigating risks.

Risk Management and Analysis

Risk Analysis: The process of determining the objective and subjective value of an asset, the identification of the specific threats to the asset, the loss that will occur to the asset if the threat is realized. Quantitative and qualitative calculations are used.

Asset Valuation: The process of determining the objective and subjective value of an asset.

Threat Identification: The identification of the specific threats to the asset.

Qualitative Valuation: The subjective determination of an asset's value based on relationship to other assets, such as intellectual property and mission-critical importance. Used in inductive evaluations.

Quantitative Valuation: The objective determination of an asset's value by assigning hard numbers to an asset's value, including cost and man-hours used to purchase, develop, maintain, deploy, and replace the asset. Used in deductive evaluations.

Qualitative Risk Analysis

Quantitative Risk Analysis

Countermeasure Selection Criteria

Cost-Benefit Analysis

Return On Investment (ROI) Analysis

Roles and Responsibilities

Frequency of Risk Analysis


Control Objectives

Control Implementation

Control Testing



Business Continuity Planning

Phases of BCP

Project Management

Business Impact Analysis (BIA)

BIA Models

Recovery Planning

Recovery Categories

Disaster Recovery

Incident Response

Tasks performed by a Computer Incident Response Team (CIRT)

    • Coordinate the distribution of information pertaining to the incident to the appropriate parties.
    • Mitigate risk to the enterprise.
    • Assemble teams to investigate the potential vulnerabilities.

property insurance has Replacement Cost Valuation (RCV) based on new item for old regardless of condition of lost item

Electronic vaulting, remote journaling and database shadowing provide redundancy at the transaction level.

The first contact should be with the responsible manager and other managers who need to be made aware, but that choice is not listed here.

The next in order of importance should be the internal public relations point of contact, making it the first in importance of the offered choices.

Next, the Local Computer Security Incident Response Team (CSIRT), if one exists, should be contacted.

Other contacts can be notified in varying order according to the type of intrusion or other circumstances.


Computer Incident Response Issues

Electronic Forensics

Media Analysis Procedures

Hard Disk Examination

Incident Response Procedures (Windows 2000)

Carnegie Mellon Software Engineering Institute (SEI) has a six-step methodology for incident handling called PDCERF for Preparation, Detection, Containment, Eradication, Recovery, and Follow-up.

  • Preparation
    • Organizing efforts to respond to incidents before they occur
    • Goal is to minimize impact of incidents
    • Linked to policies, procedures, and BCP
    • A "fly-away" kit is a ready-to-deploy collection of the hardware, software, and personnel needed to respond to an incident.
    • Hardware includes forensics analysis tools, drive copying devices, and multiple interfaces for all types of computers.
    • Software must be trusted and free of Malicious code
    • Personnel must have assigned roles, training, and know their responsibilities as part of the incident response team.
    • Also needed are administrative materials, including contracts, waivers, contact list, written procedures and worksheets, evidence tags, and recording devices
  • Detection
    • Reliance on technical controls (IDS, IPS, event logging, etc.) to discover incidents.
    • Human users as report incidents
    • Education must be used to train users how to detect and properly report anomalous events.
  • Containment
  • Eradication
  • Recovery
  • Follow-up


Recovery Time

Recovery Objectives

Processing and Information Gap

Recovery Time Objective

Recovery Resources

Personnel Resources

Recovery Phase

Phases 1-7

Success Criteria

IT Management Role during Recovery

IT Management Role after Recovery

Verify and Update Procedures

Back to SSCP Study Notes

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.