Incident Response Process: CISSP CIB vs SANS/Generic
jonwinterburn
Member Posts: 161 ■■■■□□□□□□
in SSCP
Hi all.
So I'm studying for my CISSP exam and I came across something I'm unclear on. In my daily duties, I abide by the SANS Incident Response process, which is referenced in a number of materials (both study material and other InfoSec stuff) as such:
Acronym: PICERL
1. Preparation
2. (Identification) Detection & Analysis
3. Containment
4. Eradication
5. Recovery
6. (Lessons Learned) Post-Incident Activity
However, on page 19 of the CISSP CIB, it explicitly lists the process steps as:
1. Detection
2. Response
3. Reporting
4. Recovery
5. Remediation and review
You can view this at: https://www.isc2.org/uploadedfiles/%28isc%292_public_content/exam_outlines/cissp-cib.pdf
It appear the CIB leaves the first step (Preparation) out and classifies the Eradication step as Reporting.
Any comments? I just don't like inconsistency and want to have all phases for all processes right in my mind for the exam.
Thanks,
Jon
So I'm studying for my CISSP exam and I came across something I'm unclear on. In my daily duties, I abide by the SANS Incident Response process, which is referenced in a number of materials (both study material and other InfoSec stuff) as such:
Acronym: PICERL
1. Preparation
2. (Identification) Detection & Analysis
3. Containment
4. Eradication
5. Recovery
6. (Lessons Learned) Post-Incident Activity
However, on page 19 of the CISSP CIB, it explicitly lists the process steps as:
1. Detection
2. Response
3. Reporting
4. Recovery
5. Remediation and review
You can view this at: https://www.isc2.org/uploadedfiles/%28isc%292_public_content/exam_outlines/cissp-cib.pdf
It appear the CIB leaves the first step (Preparation) out and classifies the Eradication step as Reporting.
Any comments? I just don't like inconsistency and want to have all phases for all processes right in my mind for the exam.
Thanks,
Jon
Comments
-
aftereffector
Member Posts: 525 ■■■■□□□□□□
What's the inconsistency? SANS has one process, and ISC2 has another process. You are studying for ISC2's test...CCIE Security - this one might take a while... -
jonwinterburn
Member Posts: 161 ■■■■□□□□□□
aftereffector wrote: »What's the inconsistency? SANS has one process, and ISC2 has another process. You are studying for ISC2's test...
That's as may be. But a number of CISSP resources reference the SANS process (not by name, as it's not owned by SANS, it's the industry-standard approach). The fact is. ISC2 usually abide by industry-standard processes; they're vendor-neutral. I just don't get why they invent their own process when the rest of the industry uses the other process (and the industry process makes more sense - removing preparation doesn't make sense). -
aftereffector
Member Posts: 525 ■■■■□□□□□□
When in doubt, I would always go with whatever is published by ISC2. However, you aren't going to be asked "What is step 3 of the incident response process?" on the exam - the exam questions aren't trivia questions like that - so with the amount of studying and effort you have already put into this, you will be fine.CCIE Security - this one might take a while...
-
cyberguypr
Mod Posts: 6,928 Mod
Correct. The steps are the same, maybe grouped differently. SANS opinion/methodology does not matter for ISC2 purposes. No two CISSP books I've read list all steps with the same names. Even NIST 800-61 uses 4 main categories:
-Preparation
-Detection and Analysis
-Containment, Eradication, and Recovery
-Post-Incident Activity