The fourth domain of CISM is Information Security Incident Management. Next slide. Module 1 talks about an effective incident management program. By definition, incident management is everything that's concerned with planning, establishing, managing, the capability to detect, investigate, respond and recover from information security incidents in order to minimize the amount of damage that it would have on the business and the impact to the different business functions. The objectives, of course, for you as a CISM candidate is to make sure that you have a knowledge and understanding to be able to identify and analyze and respond effectively to unexpected occurrences that might adversely affect the organization; to put together the incident response plan, which means you need to know the different components; then to be able to evaluate the effectiveness of that incident response plan as well as to understand the relationship between all of the different plans, IRP, DRP, BCP, and all of the different plans that need to be in place in order to set forth the business. This is approximately 19% of the CISM exam and there'll be about 28 questions on the exam that cover incident management. What do we need to do? What are the different tasks? Well, first of all, we have to define what incident means to the organization. What are information security incidents? We have to put together a plan. We have to document the different steps, the processes, the procedures. We have to put together the process for how you investigate and document incidents, how you escalate them, who gets notified if they are escalated. Then we have to identify the team, organize and train the team, equip them with the material and the tools that they need, and like any other plan, we have to test this plan. Also, with incident response , communications is critical. Who do we communicate to, when and how. After any of the incident, we need to do lessons learned, and we have to make sure that this is integrated along with disaster recovery, business continuity, business impact analysis, and risk assessment. What do we need to know? We need to know incident management, what are the different concepts and practices, what are the pieces that make up that incident response plan, and how does that relate to the business continuity or disaster recovery or risk assessment or business impact analysis. How do you categorize and prioritize incidence? How do you contain them? At what point in time do you escalate an incident? Who are all of the people that are involved and what are their roles and responsibilities? What are the different tools that are needed? And how do you train the people that are going to be members of your incident response team in the usage of those tools. Part of that may include a knowledge and an understanding of forensics investigation and the collecting, preserving and presenting of evidence. We also have to know what both internal and external reporting requirements are. How do you do lessons learned or post-mortem activities? How do you control impact? How do you minimize damage? How do you then quantify in terms of dollars? Because that's what manager wants to know. How much did this cost me? What are the methods for identifying the potential impact? What are the different techniques to put together to test your plan? What are the laws, the rules, the regulations? And what are the key indicators and metrics that we need to put in place so that we can evaluate the effectiveness of our incident response plan. Incident management is defined as the capability to manage unexpected disruptive events. We need to know and understand what our operational capability is. It helps us identify, prepare for and respond to incidents as they occur. It's your responsibility as a system, as an information security manager, to ensure that the organization has an established, approved, maintained incident response plan.
