Incident Response Process: CISSP CIB vs SANS/Generic

Hi all.

So I'm studying for my CISSP exam and I came across something I'm unclear on. In my daily duties, I abide by the SANS Incident Response process, which is referenced in a number of materials (both study material and other InfoSec stuff) as such:

Acronym: PICERL
1. Preparation
2. (Identification) Detection & Analysis
3. Containment
4. Eradication
5. Recovery
6. (Lessons Learned) Post-Incident Activity

However, on page 19 of the CISSP CIB, it explicitly lists the process steps as:

1. Detection
2. Response
3. Reporting
4. Recovery
5. Remediation and review

You can view this at: https://www.isc2.org/uploadedfiles/%28isc%292_public_content/exam_outlines/cissp-cib.pdf

It appear the CIB leaves the first step (Preparation) out and classifies the Eradication step as Reporting.

Any comments? I just don't like inconsistency and want to have all phases for all processes right in my mind for the exam.

Thanks,

Jon

Find more posts tagged with

Comments

aftereffector

What's the inconsistency? SANS has one process, and ISC2 has another process. You are studying for ISC2's test...

jonwinterburn

aftereffector wrote: »

What's the inconsistency? SANS has one process, and ISC2 has another process. You are studying for ISC2's test...

That's as may be. But a number of CISSP resources reference the SANS process (not by name, as it's not owned by SANS, it's the industry-standard approach). The fact is. ISC2 usually abide by industry-standard processes; they're vendor-neutral. I just don't get why they invent their own process when the rest of the industry uses the other process (and the industry process makes more sense - removing preparation doesn't make sense).

aftereffector

When in doubt, I would always go with whatever is published by ISC2. However, you aren't going to be asked "What is step 3 of the incident response process?" on the exam - the exam questions aren't trivia questions like that - so with the amount of studying and effort you have already put into this, you will be fine.

cyberguypr

Correct. The steps are the same, maybe grouped differently. SANS opinion/methodology does not matter for ISC2 purposes. No two CISSP books I've read list all steps with the same names. Even NIST 800-61 uses 4 main categories:
-Preparation
-Detection and Analysis
-Containment, Eradication, and Recovery
-Post-Incident Activity

jonwinterburn

Thanks guys, that makes sense.