Incident Response Process: CISSP CIB vs SANS/Generic

jonwinterburnjonwinterburn Member Posts: 161 ■■■■□□□□□□
in SSCP
Hi all.

So I'm studying for my CISSP exam and I came across something I'm unclear on. In my daily duties, I abide by the SANS Incident Response process, which is referenced in a number of materials (both study material and other InfoSec stuff) as such:

Acronym: PICERL
1. Preparation
2. (Identification) Detection & Analysis
3. Containment
4. Eradication
5. Recovery
6. (Lessons Learned) Post-Incident Activity

However, on page 19 of the CISSP CIB, it explicitly lists the process steps as:

1. Detection
2. Response
3. Reporting
4. Recovery
5. Remediation and review

You can view this at: https://www.isc2.org/uploadedfiles/%28isc%292_public_content/exam_outlines/cissp-cib.pdf

It appear the CIB leaves the first step (Preparation) out and classifies the Eradication step as Reporting.

Any comments? I just don't like inconsistency and want to have all phases for all processes right in my mind for the exam.

Thanks,

Jon
· Share on FacebookShare on Twitter

Comments

  • aftereffectoraftereffector Member Posts: 525
    What's the inconsistency? SANS has one process, and ISC2 has another process. You are studying for ISC2's test...
    CCIE Security - this one might take a while...
    · Share on FacebookShare on Twitter
  • jonwinterburnjonwinterburn Member Posts: 161 ■■■■□□□□□□
    aftereffector wrote: »
    What's the inconsistency? SANS has one process, and ISC2 has another process. You are studying for ISC2's test...

    That's as may be. But a number of CISSP resources reference the SANS process (not by name, as it's not owned by SANS, it's the industry-standard approach). The fact is. ISC2 usually abide by industry-standard processes; they're vendor-neutral. I just don't get why they invent their own process when the rest of the industry uses the other process (and the industry process makes more sense - removing preparation doesn't make sense).
    · Share on FacebookShare on Twitter
  • aftereffectoraftereffector Member Posts: 525
    When in doubt, I would always go with whatever is published by ISC2. However, you aren't going to be asked "What is step 3 of the incident response process?" on the exam - the exam questions aren't trivia questions like that - so with the amount of studying and effort you have already put into this, you will be fine.
    CCIE Security - this one might take a while...
    · Share on FacebookShare on Twitter
  • cyberguyprcyberguypr Mod Posts: 6,927 Mod
    Correct. The steps are the same, maybe grouped differently. SANS opinion/methodology does not matter for ISC2 purposes. No two CISSP books I've read list all steps with the same names. Even NIST 800-61 uses 4 main categories:
    -Preparation
    -Detection and Analysis
    -Containment, Eradication, and Recovery
    -Post-Incident Activity
    · Share on FacebookShare on Twitter
  • jonwinterburnjonwinterburn Member Posts: 161 ■■■■□□□□□□
    Thanks guys, that makes sense.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.