| π Back to Exam Syllabus | πΊ RooCloud on YouTube | π RooCloud Practice Exams |
CISSP 17.1 - Conducting Incident Management (Part 1 of 2)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series opens incident management within Domain 7, Security Operations. It covers the front half of the incident lifecycle, from defining what counts as an incident through detecting, verifying, and responding to one, so the containment and recovery steps that follow slot cleanly into place.
What this episode covers
- What counts as an incident β harm from an attack or human action, defined in advance in a security policy or incident management plan and backed with examples.
- The seven phases β detection, response, mitigation, reporting, recovery, remediation, and lessons learned, run as a repeating loop.
- Why counterattacking is off the table β it is counterproductive and often illegal, since attackers hide behind spoofing and botnets.
- Detecting incidents β signals from intrusion detection, anti-malware, log scanners, and users, none of which are proof on their own.
- First responders β trained IT professionals who separate a routine glitch from a genuine incident and know when to escalate.
- What a real response looks like β it scales to severity, may activate a dedicated incident response team, and moves fast to shrink damage.
- Protecting volatile evidence β treat everything as potential evidence and never power off a compromised machine, or you lose the proof.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What actually counts as an incident?
In the broadest sense, an incident is any event that harms the confidentiality, integrity, or availability of your assets, a net wide enough to include storms, cut cables, and honest accidents. In this discipline we care about the narrower computer security incident, meaning harm caused by an attack or by malicious, deliberate, or careless human action. Organizations write this definition into their security policy or incident management plan and back it with concrete examples.
What are the phases of managing an incident?
The certification lays out seven ordered steps: detection, response, mitigation, reporting, recovery, remediation, and lessons learned. Treat it as a loop rather than a straight line, because what you learn at the end feeds better detection at the start. Some other frameworks compress these into four phases, but the elements and the goal are the same.
Why is counterattacking never part of the plan?
Because striking back is counterproductive and often illegal. Attackers hide behind spoofed addresses and hijacked machines in a botnet, so if you hack the source you likely hit an innocent victim. And if you do reach the real attacker, you have made it personal and invited a grudge campaign. The right move is to preserve the scene and call the professionals instead.
How do you detect a possible incident, and who responds first?
Detection signals come from intrusion detection and prevention systems, anti-malware tools, automated log scanners that flag predefined events, and ordinary users reporting trouble. An alert is not proof, so every signal has to be investigated. The first responder arrives first, an IT professional trained to tell a routine glitch apart from a genuine security incident, then escalate to the response stage once an event is confirmed.
How do you handle evidence during a response?
Treat everything as potential evidence, because management may decide to prosecute, and protect the data so it holds up in court. Response scales to severity, and speed matters because time is the attackerβs biggest ally. One rule trips people up: do not power off a compromised machine while containing it. Volatile memory and temporary files vanish the instant power is lost, and forensic tools can only recover that live data while the machine stays running.
π Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 17.1 - Conducting Incident Management (Part 1 of 2).