Domain 4

4.8 Incident Response

Explain appropriate incident response activities.

0% Complete

1

4.8.1 Process

Preparation through lessons learned.

An effective security posture relies on standardized processes for assessing risk, managing data privacy, and ensuring business continuity through rigorous preparation and response.

Risk Assessment and Management Organizations utilize frameworks like NIST SP 800-30 or the ISACA Risk IT Framework to identify and mitigate threats. The standardized NIST process follows four distinct stages: - Prepare: Establish the scope and identify the environment of the assessment. - Conduct: Identify threat sources, exploit-prone vulnerabilities, the likelihood of an event, and the magnitude of impact. - Communicate: Share findings with stakeholders to support informed decision-making. - Maintain: Monitor risks continuously as the threat landscape evolves.

Business Impact Analysis (BIA) The BIA, guided by NIST SP 800-34, identifies the operational consequences of disruptions to determine recovery priorities. - Mission-Essential Functions: Identifying the primary workflows the organization depends on to survive. - Resource Requirements: Determining the critical tools, systems, and interdependencies needed to resume functions. - Outage Impacts: Estimating Maximum Tolerable Downtime (MTD) and the financial or operational cost of system failure.

Data Privacy Roles Regulatory frameworks such as GDPR define specific responsibilities for protecting Personally Identifiable Information (PII): - Data Controller: The entity responsible for determining the purposes and means of processing personal data. They ensure overall regulatory compliance. - Data Processor: Acts on behalf of the controller, performing specific actions on data (e.g., a cloud provider or payroll firm). - Data Custodian: Manages the technical aspects of data, including backups, storage, and security controls, to ensure availability and integrity.

Cryptographic Processes Security processes use mathematical functions to protect data at rest, in use, and in transit: - Encryption: A reversible process used for confidentiality. It converts plaintext into ciphertext; only authorized parties with a secret key can reverse it (decryption). - Hashing: A one-way function used strictly for integrity. It produces a unique cryptographic sum. If the data changes by even one bit, the hash changes, indicating tampering.

Quick recall - NIST SP 800-30: The standard for conducting risk assessments. - BIA Focus: Identification of mission-essential functions and resource dependencies. - Controller vs. Processor: The controller decides "why" and "how"; the processor executes the task. - Integrity vs. Confidentiality: Use hashing for integrity (no-reversing); use encryption for confidentiality (reversible). - Vulnerability: A weakness; Likelihood: The probability that a weakness is exploited.

2

4.8.2 Training & Testing

Tabletop, simulation.

3

4.8.3 Root Cause Analysis & Threat Hunting

4

4.8.4 Digital Forensics

Legal hold, chain of custody, e-discovery.