Domain 4: Risk, Response, and Recovery
Terms and Definitions
Asset: An item or entitiy of quantitative or qualitative value to an organization. Assets may be tangible (physical property, intellectual property) or intangible (processes, business relationships).
Threat: Any agent or process that could harm the value of an asset by affecting its confidentiality, integrity, or availability in terms of disclosing, modification or corruption, destruction, or denying access.
Vulnerability: A weakness that may be exploited by a threat for the purpose of harming an asset. A vulnerability may be a flaw in the design or implementation of a system, policy, process, or procedure.
Control: A policy or procedure used to mitigate potential risks. Controls may be administrative, technical, or physical.
Countermeasure: A control used to mitigate the affect of an exploit upon an asset.
Safeguard: A control used to limit exposure of an asset to a threat before an exploit has occurred.
Exposure: The instance of an asset being susceptible to losses from a threat.
Exposure Factor: The percentage of loss (of value) to a specific assets due to exposure to a specific threat.
Risk Management: The process of identifying the severity of potential risks, identifying vulnerabilities, and assigning priorities to each risk. Performed to allow management decide on appropriate controls (safeguards and countermeasures) to implement for acceptably mitigating risks.
Risk Management and Analysis
Risk Analysis: The process of determining the objective and subjective value of an asset, the identification of the specific threats to the asset, the loss that will occur to the asset if the threat is realized. Quantitative and qualitative calculations are used.
Asset Valuation: The process of determining the objective and subjective value of an asset.
Threat Identification: The identification of the specific threats to the asset.
Qualitative Valuation: The subjective determination of an asset's value based on relationship to other assets, such as intellectual property and mission-critical importance. Used in inductive evaluations.
Quantitative Valuation: The objective determination of an asset's value by assigning hard numbers to an asset's value, including cost and man-hours used to purchase, develop, maintain, deploy, and replace the asset. Used in deductive evaluations.
Qualitative Risk Analysis
Quantitative Risk Analysis
Countermeasure Selection Criteria
Return On Investment (ROI) Analysis
Roles and Responsibilities
Frequency of Risk Analysis
Business Continuity Planning
Phases of BCP
Business Impact Analysis (BIA)
Tasks performed by a Computer Incident Response Team (CIRT)
- Coordinate the distribution of information pertaining to the incident to the appropriate parties.
- Mitigate risk to the enterprise.
- Assemble teams to investigate the potential vulnerabilities.
property insurance has Replacement Cost Valuation (RCV) based on new item for old regardless of condition of lost item
Electronic vaulting, remote journaling and database shadowing provide redundancy at the transaction level.
The first contact should be with the responsible manager and other managers who need to be made aware, but that choice is not listed here.
The next in order of importance should be the internal public relations point of contact, making it the first in importance of the offered choices.
Next, the Local Computer Security Incident Response Team (CSIRT), if one exists, should be contacted.
Other contacts can be notified in varying order according to the type of intrusion or other circumstances.
Computer Incident Response Issues
Media Analysis Procedures
Hard Disk Examination
Incident Response Procedures (Windows 2000)
Carnegie Mellon Software Engineering Institute (SEI) has a six-step methodology for incident handling called PDCERF for Preparation, Detection, Containment, Eradication, Recovery, and Follow-up.
- Organizing efforts to respond to incidents before they occur
- Goal is to minimize impact of incidents
- Linked to policies, procedures, and BCP
- A "fly-away" kit is a ready-to-deploy collection of the hardware, software, and personnel needed to respond to an incident.
- Hardware includes forensics analysis tools, drive copying devices, and multiple interfaces for all types of computers.
- Software must be trusted and free of Malicious code
- Personnel must have assigned roles, training, and know their responsibilities as part of the incident response team.
- Also needed are administrative materials, including contracts, waivers, contact list, written procedures and worksheets, evidence tags, and recording devices
- Reliance on technical controls (IDS, IPS, event logging, etc.) to discover incidents.
- Human users as report incidents
- Education must be used to train users how to detect and properly report anomalous events.
Processing and Information Gap
Recovery Time Objective
IT Management Role during Recovery
IT Management Role after Recovery
Verify and Update Procedures