| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 17.1 - Conducting Incident Management (Part 2 of 2)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series completes incident management within Domain 7, Security Operations. Picking up where the response stage left off, it walks the back half of the lifecycle, from containing the damage and meeting reporting duties through recovery, remediation, and turning the whole ordeal into stronger future detection.
What this episode covers
- Mitigation — limiting the scope by disabling an adapter, isolating a subnet, or quietly containing an incident to watch the attacker.
- Internal reporting — matching the audience to the severity, so minor events stay local while serious breaches reach upper management fast.
- Legal reporting duty — breach laws that require notifying affected individuals when data, especially personally identifiable information, is exposed.
- Involving law enforcement — often advisable and sometimes mandatory, particularly once personal information or payment card rules are in play.
- Recovery — restoring a system to at least its former security, from a simple reboot to a full rebuild and backup restore.
- Remediation — using root cause analysis to fix the underlying flaw rather than the symptom.
- Lessons learned — reviewing the incident and response and looping findings back into stronger detection.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
How do you contain the damage during mitigation?
Mitigation is all about limiting the scope. If an infected machine is leaking data through its network adapter, you disable that adapter or unplug the cable, and sometimes you isolate an entire subnet so the problem cannot spread. Once the trouble is fenced in, the team can work on it calmly. In some cases responders quietly contain the incident without tipping off the attacker, so they can watch the activity and map its full scope.
Who needs to be told about an incident?
Reporting flows both inside and outside the organization. Internally, a minor malware hit does not warrant a call to the chief executive, but a serious breach does, so match the audience to the severity. Externally, many jurisdictions have breach laws that require notifying affected individuals when sensitive data such as personally identifiable information is exposed, and serious incidents often warrant reporting to official agencies who may assist the investigation.
How do you safely bring a system back to life?
Recovery returns the system to full operation. A minor incident might need only a reboot, while a major one may mean rebuilding the system entirely and restoring data from the most recent backup. Make sure the result is at least as secure as before the attack, double-checking access control lists, running services and protocols, patches, user accounts, and any known compromises. If you suspect hidden malicious code, a full rebuild from scratch is the safest path.
How do you stop the same thing from happening again?
That is the job of remediation, and its engine is root cause analysis. You examine the incident to find exactly what let it succeed, then recommend a fix. If a server was missing patches you stand up a patch management program, if an application skipped input validation you add proper validation, and if a database sat on the web server you move it behind another firewall. Fix the cause, not just the symptom.
How do you turn the ordeal into a lasting improvement?
The lessons learned stage examines both the incident and your response for anything worth changing, led by the response team and others who know the event well. If containment took too long, you ask why, and the output loops back to detection so you can tune your intrusion detection systems and catch the next attempt sooner. The team usually writes a report, and management decides which recommendations to adopt, owning the risk of any they reject.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 17.1 - Conducting Incident Management (Part 2 of 2).