222 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
detect capability. e calculation of (time
d
– time
0
) is the time to detect an event.
is time may be seconds, minutes, hours, days, weeks, or months. Very sophisti-
cated attacks may even take years to rst detect. Antivirus scanning of e-mail is
intended to detect malware in incoming e-mail. is scanning is only as good
as the signature les as of the day and hour of scanning. Rescanning e-mails with a
newer signature le may nd malware that previously made it through, i.e., time to
detection is greater for a certain number of malware than for others. is provides
you a clue to look into updating signature les more often, perhaps running mul-
tiple antivirus scanners to detect more malware at initial scan, or adding retroactive
scanning of e-mail with new signatures as part of standard operating procedure.
e time of event receipt at the Help Desk or SOC is time of notication
(time
n
); (time
n
– time
d
) is the time from detection to notication. A long time
between detection and notication may provide a clue that employees need better
training on notication procedures. e time for the Help Desk to triage the event
and assign remediation responsibility is triage time (time
t
); (time
t
– time
n
) provides
insight into triage capabilities and the time necessary to determine the need to esca-
late the incident to a subject matter expert, the time to restore business functional-
ity (which may not include restoring the actual system), and the time to conduct an
RCA, implement the x to the real problem, and then provide enterprise feedback
for broad remediation eorts.
e more granular the incident response steps, the more focused and useful the
metrics are to show how each step is doing and where modications may be neces-
sary to improve incident response time. Similarly, there can be eciency metrics
assigned at each step that measure the quality of the response, e.g., the correct
people are notied, progress and results, the details of the notication are sucient
for them to make appropriate business decisions, the correct people are assigned for
incident handling, etc.
Additional metrics are possible for a number of known vulnerabilities, pending
patches, patches installed, and priority threats. All of these contribute to an objec-
tive assessment of the current risk posture, security posture, threat space, assets
space, and vulnerability space. All metrics contribute to establishing good business
practice, to showing due diligence in protecting customer information, and toward
reducing culpability of the enterprise in the event of litigation. No enterprise is
expected to be perfect, but all enterprises are expected to provide reasonable pre-
cautions and protective measures. Formal incident response and tracking incident
response metrics go a long way toward showing this.
Problem Management
When encountering interruptions to operations, the expedient response is to work
through or around the interruption to achieve the task at hand. Discovery of the
error or problem that causes the interruption is often secondary to achieving the task.
e error control process is an iterative process that diagnoses errors with the intent