Page 1193 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1193

the organization must report it. Different laws have different reporting
               requirements, but most include a requirement to notify individuals

               affected by the incident. In other words, if an attack on a system
               resulted in an attacker gaining PII about you, the owners of the system
               have a responsibility to inform you of the attack and what data the
               attackers accessed.

               In response to serious security incidents, the organization should
               consider reporting the incident to official agencies. In the United

               States, this may mean notifying the Federal Bureau of Investigations
               (FBI), district attorney offices, and/or state and local law enforcement
               agencies. In Europe, organizations may report the incident to the
               International Criminal Police Organization (INTERPOL) or some
               other entity based on the incident and their location. These agencies
               may be able to assist in investigations, and the data they collect may
               help them prevent future attacks against other organizations.


               Many incidents are not reported because they aren’t recognized as
               incidents. This is often the result of inadequate training. The obvious
               solution is to ensure that personnel have relevant training. Training
               should teach individuals how to recognize incidents, what to do in the
               initial response, and how to report an incident.


               Recovery

               After investigators collect all appropriate evidence from a system, the
               next step is to recover the system, or return it to a fully functioning

               state. This can be very simple for minor incidents and may only
               require a reboot. However, a major incident may require completely
               rebuilding a system. Rebuilding the system includes restoring all data
               from the most recent backup.

               When a compromised system is rebuilt from scratch, it’s important to
               ensure it is configured properly and is at least as secure as it was
               before the incident. If an organization has effective configuration

               management and change management programs, these programs will
               provide necessary documentation to ensure the rebuilt systems are
               configured properly. Some things to double-check include access
               control lists (ACLs) and ensuring that unneeded services and protocols
   1188   1189   1190   1191   1192   1193   1194   1195   1196   1197   1198