Enterprise Incident Management : The CISM Framework

Alignment with CISM Domains

What is it? The CISM framework for enterprise Incident Management aligns closely with its four domains: Information Risk Management, Governance, Program Development and Management, and Incident Management and Response.

Example For instance, Governance in CISM ensures that the Incident Management process aligns with the organization’s overall business objectives and compliance requirements.

Who is Responsible?

• CISM-Certified Managers: Oversee the alignment of Incident Management with CISM domains.
• Governance Board: Ensures that policies align with business objectives.

Role of Governance in Enterprise Incident Management

What is it? Governance sets the strategic direction for Incident Management, ensuring that it aligns with business objectives and compliance requirements.

Example A governance board may set a policy that all incidents must be resolved within a certain timeframe to minimize business impact.

Who is Responsible?

• Governance Board: Sets the strategic direction.
• CISM-Certified Managers: Implement governance policies in Incident Management.

Incident Management Policies and Procedures

What is it? These are the guidelines and standard operating procedures that dictate how incidents are to be managed.

Example A policy might state that all incidents must be reported to a centralized incident response team within 30 minutes of discovery.

Who is Responsible?

• CISM-Certified Managers: Develop and implement policies.
• Incident Response Team: Follows the procedures during an incident.

Enterprise Incident Management Lifecycle

Preparation Phase

What is it? This phase involves preparing the organization to effectively handle incidents. This includes setting up an incident response team, defining roles, and equipping them with the necessary tools and processes.

Example Creating an Incident Response Plan (IRP) that outlines the steps to be taken when an incident occurs.

Who is Responsible?

• CISM-Certified Managers: Oversee the preparation phase.
• IT Staff: Set up the necessary tools and systems.

Identification Phase

What is it? This phase focuses on detecting incidents through continuous monitoring of the IT environment.

Example Using Security Information and Event Management (SIEM) systems to monitor logs and generate alerts for suspicious activities.

Who is Responsible?

• Security Analysts: Monitor for incidents.
• CISM-Certified Managers: Validate and prioritize incidents for response.

Containment Phase

What is it? This phase aims to contain the incident to prevent further damage. This could involve isolating affected systems or blocking malicious IP addresses.

Example In case of a malware outbreak, affected systems are isolated from the network to prevent the spread of malware.

Who is Responsible?

• Incident Response Team: Executes containment measures.
• IT Staff: Implements technical containment measures like system isolation.

Eradication Phase

What is it? During this phase, the root cause of the incident is identified and completely removed from the environment.

Example If the incident was caused by a phishing email, the eradication phase would involve removing the email from all systems and conducting a forensic analysis to understand how the breach occurred.

Who is Responsible?

• Forensic Analysts: Identify the root cause.
• IT Staff: Remove malicious elements from the environment.

Enterprise Recovery Phase

What is it? During this phase, normal operations are restored, and systems are monitored for signs of weaknesses that could be exploited again.

Example After removing a malware infection, systems are patched, and normal operations are resumed. Continuous monitoring is put in place to prevent re-infection.

Who is Responsible?

• IT Staff: Responsible for restoring systems to their normal state.
• CISM-Certified Managers: Oversee the recovery process and validate that it aligns with governance policies.

Lessons Learned

What is it? After the incident is handled, an analysis is conducted to learn from the incident and improve future response.

Example A post-incident report is created that outlines what went well, what could be improved, and what can be learned for future incidents.

Who is Responsible?

• CISM-Certified Managers: Conduct the lessons learned analysis.
• Incident Response Team: Contributes to the analysis and suggests improvements.

Tools and Technologies

Incident Management Software

What is it? Incident Management Software are specialized tools designed to assist in logging, tracking, and managing incidents. They often integrate with other systems to provide a centralized view of security events.

Example Software like ServiceNow or Jira can be used to track incidents, assign tasks, and manage workflows.

Who is Responsible?

• IT Staff: Set up and maintain the software.
• Incident Response Team: Use the software for tracking and managing incidents.

Forensic Tools

What is it? These are specialized tools used for investigating the root cause of an incident. They can analyze system logs, network traffic, and other data to provide insights into the incident.

Example Wireshark could be used for packet capture and network analysis during a data breach investigation.

Who is Responsible?

• Forensic Analysts: Use forensic tools for detailed investigation.
• IT Staff: Provide necessary access and data to forensic analysts.

Communication Platforms

What is it? These are tools used for effective communication among the incident response team and with other stakeholders. This could range from secure messaging apps to incident-specific dashboards.

Example Slack or Microsoft Teams channels dedicated to incident response for real-time communication.

Who is Responsible?

• Incident Response Team: Use the platforms for communication.
• CISM-Certified Managers: Ensure that communication is effective and secure.

Metrics and KPIs

Measuring Incident Response Time

What is it? This metric measures the time taken from the moment an incident is detected until it is resolved. It is crucial for assessing the effectiveness of the incident management process.

Example If the average response time for high-severity incidents is decreasing over time, it’s an indicator of an improving incident management process.

Who is Responsible?

• CISM-Certified Managers: Monitor this and other KPIs.
• Incident Response Team: Work to minimize response time.

Effectiveness of Incident Management

What is it? This is often measured through Key Performance Indicators (KPIs) like the number of incidents contained within a certain time frame or the impact level of incidents handled.

Example A KPI could be the percentage of incidents resolved within the first hour of detection.

Who is Responsible?

• CISM-Certified Managers: Define and monitor KPIs.
• Incident Response Team: Work to meet or exceed KPI targets.

You might also like:

1. CISM Certification
   • Why it’s recommended: This blog provides a comprehensive overview of the CISM certification, making it a great starting point for those new to the field or considering certification.
2. Enterprise Incident Management
   • Why it’s recommended: This blog delves into the specifics of incident management within an enterprise setting, offering practical insights that complement our discussion on the CISM framework for incident management.
3. Information Security Governance
   • Why it’s recommended: Governance is a key aspect of CISM, and this blog provides a detailed look at how to implement effective information security governance strategies.
4. Mastering the Pillars of GRC in Information Security Management: A CISM Perspective
   • Why it’s recommended: This blog focuses on Governance, Risk, and Compliance (GRC), three pillars that are integral to the CISM framework. It offers a unique perspective on how to master these elements in information security management.

Frequently Asked Questions About Enterprise Incident Management