Page 1190 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1190

an incident has occurred. Intrusion detection and prevention systems

               often give false alarms, and end users are prone to simple user errors.
               IT personnel investigate these events to determine whether they are
               incidents.

               Many IT professionals are classified as first responders for incidents.
               They are the first ones on the scene and have knowledge on how to
               differentiate typical IT problems from security incidents. They are
               similar to medical first responders who have outstanding skills and

               abilities to provide medical assistance at accident scenes, and help get
               the patients to medical facilities when necessary. The medical first
               responders have specific training to help them determine the
               difference between minor and major injuries. Further, they know what
               to do when they come across a major injury. Similarly, IT
               professionals need specific training so that they can determine the
               difference between a typical problem that needs troubleshooting and a
               security incident that they need to escalate.


               After investigating an event and determining it is a security incident,
               IT personnel move to the next step: response. In many cases, the
               individual doing the initial investigation will escalate the incident to
               bring in other IT professionals to respond.


               Response

               After detecting and verifying an incident, the next step is response.
               The response varies depending on the severity of the incident. Many

               organizations have a designated incident response team—sometimes
               called a computer incident response team (CIRT), or computer
               security incident response team (CSIRT). The organization activates
               the team during a major security incident but does not typically
               activate the team for minor incidents. A formal incident response plan
               documents who would activate the team and under what conditions.

               Team members are trained on incident response and the

               organization’s incident response plan. Typically, team members assist
               with investigating the incident, assessing the damage, collecting
               evidence, reporting the incident, and recovery procedures. They also
               participate in the remediation and lessons learned stages, and help
   1185   1186   1187   1188   1189   1190   1191   1192   1193   1194   1195