Introduction to Incident Response

IT AuditInternal Audit

Overview

While preventative controls remain a critical component of an effective information security program, the ability to detect and respond to security incidents continues to increase in importance. The number of breaches reported each year, combined with evidence of increasingly sophisticated attacks, only serves to emphasize the need for organizations to have staff members skilled in managing information security incidents. This course is designed to provide the knowledge and experience you need to develop critical incident response policies and procedures, as well as identify technologies that can help you effectively manage security incidents. Through discussion and hands-on exercises, participants gain specialized knowledge of security incident response. The course covers cyber-attacks, computer forensics, incident response detection and assessment, controls and preparation, communications, post-incident activity, and reporting. It also covers third-party incident response considerations, training and recovery, and key considerations when preparing audit programs. Another feature of the class is the review of guidance from organizations like the Center for Internet Security (CIS), the National Institute of Standards and Technology (NIST), the US Computer Emergency Readiness Team (CERT), the Federal Financial Institutions Examination Council (FFIEC), the Financial Services Information Sharing and Analysis Center (FSISAC), the National Cybersecurity and Communications Integration Center (NCCIC), and the Cloud Security Alliance (CSA).

Here are the topics we'll cover.

  1. What is Incident Response?
    • Fundamental concepts and incident types
    • Incident continuum and response planning timeline
    • The link to business continuity (BC) and disaster recovery (DR)
  2. Need for Incident Response
    • Industry reports, key statistics, and costs
    • Illustrative case studies
    • Current and future cybersecurity challenges
    • Cybersecurity maturity
    • Cyberliability insurance and common reasons for claim denials
  3. Cyber Attacks
    • Types, characteristics, and trends
    • Vulnerabilities
  4. Computer Forensics
    • Key concepts and legal considerations
    • Types of evidence, gathering, and handling
    • Digital forensic tools and analysis
    • Top forensic mistakes
  5. Incident Response (IR) Controls
    • Review of key controls
  6. Incident Response (IR) Preparation
    • IT risks and security governance
    • Key steps for incident response preparation
    • Risk assessment strategy and steps, policies, standards and procedures
    • Asset inventories, public statements, vulnerability management and penetration testing
  7. Formation and Training of a Computer Security Incident Response Team (CSIRT)
    • Definitions and key considerations
    • Function and skills differences between CSIRT, CERT, SOC
    • Selection criteria, team composition, and outsourcing options
  8. Incident Response Communications
    • Communication plans, essential components and characteristics
    • Internal and external communications
    • The link between timing, incident escalation and related procedures
    • Review of legal requirements, liability issues, card industry requirements, and incident response organizations
  9. Incident Response Documentation and Reporting
    • Documenting incidents and reporting to various stakeholders
    • Best practices and common issues with incident reports
  10. Incident Detection and Analysis
  • Detection challenges and what to do during the first hours
  • Compromise indicators and thresholds for reportable incidents
  • Tips and tools for incident detection and categorization
  • Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
  • Log management systems best practices
  1. Incident Assessment and Investigation
  • Incident assessment methodology, analysis, and team activities
  • Incident investigation checklist and key considerations
  1. Incident Containment, Eradication, and Recovery
  • Key steps for damage limitation and to eliminate the cause
  • Essential activities and requirements for recovery
  • Recovery checklist and key questions to ask
  • Setting, monitoring, and achieving key metrics and plan goals
  1. Post Incident Activity
  • Post action review and gathering of lessons learned
  • Avoiding common mistakes
  1. Incident Response Plans
  • Techniques to create and manage response plans
  • Key components, design, metrics, and what is often overlooked
  • Testing the playbook, tools, and essential resources
  • Key forensic actions
  1. Training
  • Differences between training and awareness
  • Training: Who, what, when, where, why, and how
  • Training objectives, materials, metrics, and tailoring to various stakeholders
  1. Incident Response Testing
  • Types of testing
  • Test plan development and deployment
  1. Third-Party and Cloud Incident Response Considerations
  • Third-Party risks
  • Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) for third parties
  • Incident response actions based on cloud service models
  • Contracts and service level agreements (SLAs)
  • Incident response framework and the shared responsibility matrix
  1. Final Incident Response Thoughts and Audit Considerations
  • Key objectives, deliverables, and examination areas
  • Essential KPIs and KRIs

Learning Style

Instructor Led

Level

Intermediate

Who this course is for

Information security and IT managers, information security analysts, security architects, security administration, system administrators, network administrators, IT auditors, consultants, and compliance managers.

NASBA Certified CPE

24 credits

Field of Study

Auditing

Length of course

24h

Prerequisites

None

Advanced Preparation

None
Start Learning Today
Stay ahead of the curve and future-proof your business with training programs designed for you.
Contact Sales

Here are the learning objectives we'll cover

  • Describe incident response preparation, detection, and response techniques.
  • List key incident response documents and practices.
  • Identify key risks, controls, and audit techniques.

Attendance policy for on-site and online instructor-led training

Students are expected to arrive on time for classes with the proper materials and attitude. An overall attendance rate of 100% is expected to fully absorb the materials and to complete labs. If you have an expected absence, please email support@acilearning.com or your instructor ahead of time. The number of CPEs awarded will be equivalent to the number of hours attended.

ACI Learning is registered with NASBA

ACI Learning is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: https://www.nasbaregistry.org/