[MUSIC] The last module [COUGH] in Incident Management is lessons learned are post-moderm. Part of what has to happen with incident response Is the whole area of post-incident activities and investigations. We need to do lessons learned. Where can we improve our incident response program? How does it affect in disaster recovery and business continuity? Next slide. We need to look to see if we can identify what caused this particular incident. We do root cause analysis, who was involved? Where did it come from? When did it happen? How did it happen? Why did it happen? Which systems are available, what was the reason for the attack and then we document all of this. We document that, so that if it should occur at some point in the future, then we have evidence of what we did, how we contained it, what damage it caused, and what we did to mitigate it. Or if we have similar incidents, we have a something that work that we know how we can recover from this. Part of the requirement for evidence collection, and incidents could potentially be crimes. So the information security manager, you, need to understand what's required when it comes to the collection and presentation of evidence, what we call chain of custody. What are the rules for collection? What are the rules for admissibility in Court? And what are the consequences? If there's any contamination? To the incident or to the evidence that we've gathered, failure to realize this, failure to understand the rules and the consequences, basically make the an organization unable to identify how the intrusion was completed, or if there are incidences where we need to change the security program. We don't have the appropriate evidence, because that evidence may have been tampered with. One of the legal aspects for evidence collection, chain of custody, having a evidence collection checklist for the people that are actually doing that, documenting everything in an activity log having signed. Acceptable use policies non disclosure agreements confidentiality form, having an updated Case log making sure that you're running NTP Network Time Protocol. All of those are legal aspects when it comes to forensics, evidence collection and gathering. That is the end of domain number four in cism. There are a couple of things that you might want to consider reading as additional resources. Jim Bertels has something out there called the principles and practices of business continuity tools and techniques. Make sure you get the documentation from Carnegie Mellon. That's a free download. On how to create and put together a C cert team, a computer security incident response team. Look at the information on the FEMA website. Look at what semantic is doing in their documentation of managing security incidents in the enterprise. What I'd like for you to do now there's a case study at the end of domain number four in the ISOC. A review manual starting on page 252. Go through read and review that case study and answer the following three questions. Which of the following would have aided the Network Operations Center, employees in identifying the severity, A updated policy, B meaningful metric, C, additional training? Or D increased decision making autonomy, followed by the second question who ultimately should be responsible for ensuring that a single disaster recovery plan is in place and then follow that with question number 3, who should be accountable for the lack of not having an effective DRP? My name is Ken McGee. I hope you have enjoyed these short clips on CISM, I look forward to seeing you in class. I look forward to having you in another course with INFOSEC sometime in the near future. Thank you. [MUSIC]
