Incident Management and Response Overview
•
5 j'aime•1,997 vues
The document discusses the key responsibilities of a CISO regarding incident management and response. It outlines establishing processes for detecting, identifying, analyzing and responding to security incidents. This includes developing escalation processes, response plans, and integrating response plans with business continuity and disaster recovery plans. It also discusses organizing incident response teams, conducting testing and reviews to improve effectiveness.
![CISO Tasks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (15)
Similaire à Incident Management and Response Overview
Similaire à Incident Management and Response Overview (20)
Plus de Marc Vael
Plus de Marc Vael (20)
Dernier
Dernier (20)
Incident Management and Response Overview
- 1. Incident Management and Response
- 14. Roles and Responsibilities (continued)
- 15. Roles and Responsibilities (continued)
Notes de l'éditeur
- Content to Emphasize: The CISM candidate must have a thorough understanding of the knowledge statements in order to pass the CISM exam. Please explain that the learning objectives/tasks are what a CISM is expected to be able to do. The tasks will relate to knowledge statements. It may be helpful to explain that the CISM must know what the core business of the organization is if they hope to demonstrate to executive management how security can help to enable the business. Section one of the chapter in the 2011 manual provides an overview of the content as well as the task and knowledge statements. The relationship of the task statements to the knowledge statements is included on pages 232-238. In addition, an explanation is provided for each knowledge statement, it’s related key concepts and reference to content in the section of the chapter. Review Manual Reference Pages: pgs. 230-239
- Incident management is defined as the capability to effectively manage unexpected disruptive events with the objective of minimizing impacts and maintaining or restoring normal operations within defined time limits. Incident response is the operational capability of incident management that identifies, prepares for and responds to incidents to control and limit damage; provide forensic and investigative capabilities; and maintain, recover and restore normal operations as defined in service level agreements (SLAs). Review Manual Reference Page: pg. 238
- Content to Emphasize: Incident Management and Response is the operational part of risk management. It is the activities that take place as a result of unanticipated attacks, losses, theft, accidents or any other unexpected adverse events that occur as a result of the failure or lack of controls. The purpose of incident management and response is to manage and respond to unexpected disruptive events with the objective of controlling impacts within acceptable levels. These events can be technical, such as attacks mounted on the network via viruses, denial of service, or system intrusion, or they can be the result of mistakes, accidents, or system or process failure. Disruptions can also be caused by a variety of physical events such as theft of proprietary information, social engineering, lost or stolen backup tapes or laptops, environmental conditions such as floods, fires, or earthquakes, and so forth. Any type of incident that can significantly affect the organization’s ability to operate or that may cause damage must be considered by the information security manager and will normally be a part of incident management and response capabilities. As with other aspects of risk management, risk and business impact assessments (BIA) form the basis for determining the priority of resource protection and response activities. Incident management and response is a part of business continuity planning (BCP), as is disaster recovery. As “first responders” to adverse information security-related events, the objective is to prevent incidents from becoming problems, and to prevent problems from becoming disasters. Review Manual Reference Pages: pg. 250
- Outcomes of good incident management and response will be an organization that can deal effectively with unanticipated events that might threaten to disrupt the business. The organization will have sufficient detection and monitoring capabilities to ensure incidents are detected in a timely manner. There will be well-defined severity and declaration criteria as well as defined escalation and notification processes. Personnel will be trained in the recognition of incidents, the application of severity criteria, and proper reporting and escalation procedures. The organization will have response capabilities that demonstrably support the business strategy by being responsive to the criticality and sensitivity of the resources protected. It will serve to proactively manage risks of incidents appropriately in a cost-effective way and will provide integration of security related organizational functions to maximize effectiveness. It will provide monitoring and metrics to gauge performance of incident management and response capabilities. It will periodically test its capabilities and ensure that information and plans are updated regularly, are current, and accessible when needed. Review Manual Reference Page: pg. 253
- An incident management charter is a document that formally establishes the IMT, and documents its responsibility to manage and respond to security incidents. The charter also delegates the authority to take necessary actions and to make decisions prior to, during, and after an incident. As incident management is broader than incident response activities, the charter should also provide authority to implement proactive measures, vulnerability management and other incident management services. Sections of the charter document should include: • Mission —Describes the overall goals of the team and the activities that fall within the team’s scope of responsibility. This might include such tasks as responding to all incidents, minimizing their impact, and collecting data and evidence for further investigation and potential prosecution. • Scope —Defines the constitution of the IMT. The scope may be different for each organization. Some common choices of IMT scope include: • Organizational structure —Documents how the IMT is organized from a management perspective, how the members of the team are managed and how the team reports to upper-level management. • Information flow —Describes how information flows before, during and after an incident. First, this section describes how a potential security incident is reported to the IMT, and provides contact information for doing so. Second, it describes how the IMT communicates information about an incident to: – Senior management – Company employees – Business partners (e.g., suppliers, collaborators) – Regulatory organizations – Other stakeholders – The public • Services provided —Documents the specific services the IMT provides. This is based on the mission statement (above), and may include services such as incident response, policy development, compliance testing and user education. Review Manual Reference Pages: pg. 254
- The approach to incident response may vary depending on the situation, but the goals are constant. These goals include: • Containing the effects of the incident so that damage and losses do not escalate out of control • Notifying the appropriate people for the purpose of recovery or to provide needed information • Recovering quickly and efficiently from security incidents • Minimizing the impact of the security incident • Responding systematically and decreasing the likelihood of recurrence • Balancing operational and security processes • Dealing with legal and law enforcement-related issues Review Manual Reference Page: pg. 255
- As is the case with other aspects of information security, senior management commitment is critical to the success of incident management and response. It is a component of risk management and the same rationale and justification will serve. A business case can be made so that effective incident management and response may be a less costly option than attempting to implement controls for all possible conditions. Incident management and response can be part of the trade-off that may reduce the cost of risk management efforts by allowing higher levels of acceptable risk. Adequate incident response, in combination with effective information security, creates a practical risk management solution that may be more cost effective in the long run and the most prudent resource management decision. Review Manual Reference Pages: pg. 255
- Since incident management and response serves as the fire brigade, ambulance service and emergency room for the organization’s information assets, it must effectively address a wide range of possible unexpected events, both electronic and physical. It will need to have well-developed monitoring capabilities for key controls, whether procedural or technical, to provide early detection of potential problems. It will have personnel trained in assessing the situation, capable of providing triage, managing effective responses that maximize operational continuity and minimize impacts. The incident managers will have made provisions to capture all relevant information and apply previously learned lessons. They will know when a disaster is imminent and have well-defined criteria, the experience, knowledge, and the authority to invoke the disaster recovery processes necessary to maintain or recover operational status. Review Manual Reference Page: pgs. 255 - 256
- Review Manual Reference Pages: pgs. 258 - 259
- The incident response plan must be backed by well-defined policies, standards and procedures. A documented set of policies, standards and procedures is important to: • Ensure that incident management activities are aligned with the IMT mission • Set correct expectations • Provide guidance for operational needs • Maintain consistency and reliability of services The lack of suitable policies and supporting standards may hinder incident management capabilities. Review Manual Reference Page: pg. 259
- Content to Emphasize: An IMT usually consists of an information security manager, steering committee/advisory board, permanent/dedicated team members and virtual/temporary team members. The information security manager usually leads the team. In larger organizations, it may be more effective to appoint a separate IRT leader/manager that focuses on responding to incidents. Above the information security manager, there is a set of senior management executives in a group called security steering group (SSG) or security advisory board. The SSG is responsible for approving the charter and serves as an escalation point for the IMT. The SSG also approves deviations and exceptions to normal practice. Review Manual Reference Page: pg. 260
- Review Manual Reference Pages: pg. 261
- Review Manual Reference Pages: pg. 261
- Review Manual Reference Pages: pg. 261
- Content to Emphasize: To build an incident response team with capable incident handlers, organizations need people with certain skill sets and technical expertise, with abilities that enable them to respond to incidents, perform analysis tasks, and communicate effectively with the constituency and external contacts. They must also be competent problem solvers, must easily adapt to change, and must be effective in their daily activities. The set of basic skills that incident response team members need can be separated into two broad groups: • Personal skills —Major parts of the incident handler’s daily activity. • Technical skills Review Manual Reference Page: pgs. 260 - 262
- Most organizations have some sort of incident response capability, either ad hoc or formal. The information security manager must identify what is already in place as a basis for understanding the current state. There are many ways to do this; several methods that can be used are: • Survey of senior management, business managers and IT representatives —A survey is useful to find out how the incident management capability has been performed in the past or perception of such capability. • Self-assessment —Self-assessment is conducted by the IMT against a set of criteria to develop understanding on current capabilities. This is the easiest to do without requiring participation from many stakeholders. The disadvantage of this method includes the limited view on current capability and may not be in line with stakeholders’ perceived capability. • External assessment or audit —The most comprehensive option that combines interviews, surveys, simulation and other assessment techniques in the assessment. This option is normally used for an organization that already has an adequate incident management capability but is further improving it or reengineering the processes. Review Manual Reference Page: pg. 264
- Past incidents (both internal and external) can provide valuable information on trends, types of events, and business impacts. This information is used as an input to the assessment of the types of incidents that must be considered and planned for. Review Manual Reference Page: pg. 264
- Risk tolerance is the same as acceptable risk which, in the final analysis, must be determined by management. Determining acceptable impacts in financial terms and then working backward to determine risk levels may help facilitate an understanding by management. The information security manager should be aware that incident management also includes business continuity and disaster recovery planning (DRP). DRP generally comprises the plan to recover an IT processing facility or by business units to recover an operational facility. The recovery plan must be consistent with and support the overall IT plan of the organization. Overall, response management is equal to the combination of BCP, DRP, and continuity of business operations and incident response, although each part, depending on the complexity of the organization, does not necessarily have to be integrated into one single plan. To have a viable response management planning strategy, however, each must be consistent with the other. Review Manual Reference Page: pg. 264
- No matter how good controls may be, the risk of an incident cannot be completely eliminated. Accordingly, the information security manager should oversee the development of response and recovery plans to ensure that they are properly designed and implemented. These plans should, as described previously, be based on the BIA. Next, response and recovery strategies should be identified and validated and then approved by senior management. Once senior management approves these strategies, the information security manager should oversee the development of the response and recovery plans. During this process, response and recovery teams should be identified and team members mobilized. The plans must provide the teams guidance concerning the steps to be taken to recover business processes. Review Manual Reference Page: pgs. 264 - 265
- Recovery time objective (RTO) is defined as the amount of time allowed for the recovery of a business function or resource to a predefined operational level after a disaster occurs. Exceeding this time would mean organization survival would be threatened or the losses would exceed acceptable levels. RTOs are determined as a result of management deciding the level of acceptable impact as a result of the unavailability of information resources. Generally, the optimal RTO is the point where the ongoing cost of loss is equal to the cost of recovery. Review Manual Reference Page: pg. 265
- The following model proposed by Schultz, Brown and Longstaff in a University of California technical report “Responding to Computer Security Incidents: Guidelines for Incident Handling” (UCRL-ID-104689, July 23, 1990), presents the six- phase model of incident response including preparation, identification, containment, eradication, restoration and follow- up: • Preparation —This phase prepares an organization to develop an incident response plan prior to an incident. Sufficient preparation facilitates smooth execution. • Identification —This phase aims to verify if an incident has happened and find out more details about the incident. Reports on possible incidents may come from information systems, end users or other organizations. Not all reports are valid incidents, as they may be false alarms or may not qualify as an incident. • Containment —After an incident has been identified and confirmed, the IMT is activated and information from the incident handler is shared. The team will conduct a detailed assessment and contact the system owner or business manager of the affected information systems/assets to coordinate further action. The action taken in this phase is to limit the exposure. • Eradication —When containment measures have been deployed, it is time to determine the root cause of the incident and eradicate it. Eradication can be done in a number of ways: restoring backups to achieve a clean state of the system, removing the root cause, improving defenses and performing vulnerability analysis to find further potential damage from the same root cause. • Recovery —This phase ensures that affected systems or services are restored to a condition specified in the RPO. The time constraint up to this phase is documented in the RTO. • Lessons learned —At the end of the incident response process, a report should always be developed to share what has happened, what measures were taken and the results after the plan was executed. Part of the report should contain lessons learned that provide the IMT and other stakeholders valuable learning points of what could have been done better. These lessons should be developed into a plan to enhance the incident management capability and the documentation of the incident response plan. Review Manual Reference Page: pgs. 265 - 266
- • Preparation —This phase prepares an organization to develop an incident response plan prior to an incident. Sufficient preparation facilitates smooth execution. Activities in this phase include: – Establishing an approach to handle incidents – Establishing policy and warning banners in information systems to deter intruders and allow information collection – Establishing communication plan to stakeholders – Developing criteria on when to report incident to authorities – Developing a process to activate the incident management team – Establishing a secure location to execute the incident response plan – Ensuring equipment needed is available Review Manual Reference Page: pgs. 265 - 266
- • Identification —This phase aims to verify if an incident has happened and find out more details about the incident. Reports on possible incidents may come from information systems, end users or other organizations. Not all reports are valid incidents, as they may be false alarms or may not qualify as an incident. Activities in this phase include: – Assigning ownership of an incident or potential incident to an incident handler – Verifying that reports or events qualify as an incident – Establishing chain of custody during identification when handling potential evidence – Determining the severity of an incident and escalating it as necessary Review Manual Reference Page: pgs. 265 - 266
- • Containment —After an incident has been identified and confirmed, the IMT is activated and information from the incident handler is shared. The team will conduct a detailed assessment and contact the system owner or business manager of the affected information systems/assets to coordinate further action. The action taken in this phase is to limit the exposure. Activities in this phase include: – Activating the incident management/response team to contain the incident – Notifying appropriate stakeholders affected by the incident – Obtaining agreement on actions taken that may affect availability of a service or risks of the containment process – Getting the IT representative and relevant virtual team members involved to implement containment procedures – Obtaining and preserving evidence – Documenting and taking backups of actions from this phase onward – Controlling and managing communication to the public by the public relations team Review Manual Reference Page: pgs. 265 - 266
- • Eradication —When containment measures have been deployed, it is time to determine the root cause of the incident and eradicate it. Eradication can be done in a number of ways: restoring backups to achieve a clean state of the system, removing the root cause, improving defenses and performing vulnerability analysis to find further potential damage from the same root cause. Activities in this phase include: – Determining the signs and cause of incidents – Locating the most recent version of backups or alternative solutions – Removing the root cause. In the event of worm or virus infection, it can be removed by deploying appropriate patches and updated antivirus software. – Improving defenses by implementing protection techniques – Performing vulnerability analysis to find new vulnerabilities introduced by the root cause Review Manual Reference Page: pgs. 265 - 266
- • Recovery —This phase ensures that affected systems or services are restored to a condition specified in the RPO. The time constraint up to this phase is documented in the RTO. Activities in this phase include: – Restoring operations to normal – Validating that actions taken on restored systems were successful – Getting involvement of system owners to test the system – Facilitating system owners to declare normal operation Review Manual Reference Page: pgs. 265 - 266
- • Lessons learned —At the end of the incident response process, a report should always be developed to share what has happened, what measures were taken and the results after the plan was executed. Part of the report should contain lessons learned that provide the IMT and other stakeholders valuable learning points of what could have been done better. These lessons should be developed into a plan to enhance the incident management capability and the documentation of the incident response plan. Activities in this phase include: – Writing the incident report – Analyzing issues encountered during incident response efforts – Proposing improvement based on issues encountered – Presenting the report to relevant stakeholders Review Manual Reference Page: pgs. 265 - 266
- Content to Emphasize: Training the response teams is essential; the information security manager should develop event scenarios and test the response and recovery plans to ensure that team participants are familiar with their tasks and responsibilities. Through this process the teams will also identify the resources they require for response and recovery, providing the basis for equipping the teams with needed resources. An added value of training is detecting and modifying ambiguous procedures to achieve clarity and determining recovery resources that may not be adequate or effective. IMT members should undergo the following training program: • Induction to the IMT —The induction should provide the essential information required to be an effective IMT member. • Mentoring team members regarding roles, responsibilities and procedure —Existing IMT members can provide valuable knowledge to aid new members after induction. To facilitate effective mentoring, the buddy system can be used, pairing new members with experienced members. • On-the-job training —May serve to provide an understanding of company policies, standards, procedures, available tools and applications, acceptable code of conduct, etc. • Formal training —Team members may require formal training to attain an adequate level of competence necessary to support the overall incident management capability. Review Manual Reference Page: pg. 266
- Content to Emphasize: The information security manager must understand the basic processes required to recover operations from incidents such as DoS attacks, natural disasters and other potential disruption of business operations. Disaster recovery (DR) has traditionally been defined as the recovery of IT systems after disruptive events such as hurricanes and floods. Business recovery is defined as the recovery of the critical business processes necessary to continue or resume operations. Business recovery includes not only disaster recovery, but also all other required operational aspects. Review Manual Reference Page: pg. 266
- Content to Emphasize: Various strategies exist for recovering critical information resources. The most appropriate strategy is likely to be one that demonstrably addresses probable events with acceptable recovery times at a reasonable cost. Depending on the size and complexity of the organization and the state of recovery planning, the information security manager should understand that the development of an incident management and response plan is likely to be a difficult and expensive process that may take considerable time. It may require the development of several alternative strategies encompassing different capabilities and costs to be presented to management for a final decision. Each alternative must be sufficiently developed to provide an understanding of the trade-offs between scope, capabilities and cost. It may be prudent to consider outsourcing some or all of the needed capabilities and determine costs for the purpose of comparisons. Once the decision is made for which strategy best meets management’s objectives, it provides the basis for the development of detailed incident management and response plans. Review Manual Reference Page: pg. 267
- The plan must identify teams and define their assigned responsibilities in the event of an incident. To implement the strategies that have been developed for business recovery, key decision making, technical and end-user personnel to lead teams need to be designated and trained. Depending on the size of the business operation, the team may consist of a single person. The involvement of these teams depends on the level of the disruption of service and the types of assets lost, compromised, damaged or endangered. A matrix should be developed that indicates the correlation between the functions of the different teams. This will facilitate estimating the magnitude of the effort and activating the appropriate combination of teams. Examples of the kinds of teams usually needed include the: • The emergency action team —Designated fire wardens and “bucket crews” whose function is to deal with fires or other emergency response scenarios • Damage assessment team— Qualified individuals who assess the extent of damage to physical assets and make an initial determination regarding what is a complete loss vs. what is restorable or salvageable • Emergency management team —Responsible for coordinating the activities of all other recovery teams and handling key decision making • Relocation team —Responsible for coordinating the process of moving from the hot site to a new location or to the restored original location • Security team —Often called a computer security incident response team, it is responsible for monitoring the security of systems and communication links, containing any ongoing security threats, resolving any security issues that impede the expeditious recovery of the system(s), and assuring the proper installation and functioning of every security software package. Review Manual Reference Page: pgs. 269 - 270
- The recovery plan must also cover notification responsibilities and requirements. It should also include a directory of key decision-making personnel, information systems owners, end users and others required to initiate and carry out response efforts. This directory should also include multiple communication methods (telephone, cell phone, text, e-mail, etc). The directory should include at least the following individuals: • Representatives of equipment and software vendors • Contacts within companies that have been designated to provide supplies and equipment or services • Contacts at recovery facilities, including hot site representatives or predefined network communications rerouting services • Contacts at offsite media storage facilities and the contacts within the company who are authorized to retrieve media from the offsite facility • Insurance company agents • Contacts at human resources (HR) and/or contract personnel services • Law enforcement contacts Review Manual Reference Page: pg. 270
- The information security manager, helped by the recovery team’s organization, should implement periodic testing of response and recovery plans. Testing should include: • Developing test objectives • Executing the test • Evaluating the test • Developing recommendations to improve the effectiveness of testing processes as well as response and recovery plans • Implementing a follow-up process to ensure that the recommendations are implemented Review Manual Reference Pages: pg. 273
- Content to Emphasize: The information security manager should also implement a tracking process to ensure that any recommendations resulting from testing are implemented in a timely fashion. Personnel should be tasked with making any necessary changes. The information security manager needs to understand that testing recovery and response plans need to include infrastructure and critical applications. With today’s organizations’ heavy reliance on information technology, the information security manager is not only tasked with securing these systems during normal operations, but also during disaster events. Based on the risk assessment and business impact information, the information security manager can identify critical applications that the organization requires and the infrastructure needed to support them. To ensure that these are recovered in a timely fashion, the information security manager needs to perform appropriate recovery tests. Review Manual Reference Page: pgs. 273 - 274
- Review Manual Reference Page: pg. 274
- To ensure the response and recovery plans are executed as required, the plans need a facilitator or director to direct the tasks within the plans, oversee their execution, liaise with senior management and make decisions as necessary. The information security manager may or may not be the appropriate person to act as the recovery plan director or coordinator, but must be certain the role is assigned to someone who can perform this critical function. Developing appropriate response and recovery strategies as well as alternatives is an essential component in the overall process of executing the response and recovery plans. It will provide reasonable assurance that the organization can recover its key business functions in the event of a disruption and that it responds appropriately to a security-related incident. Review Manual Reference Page: pg. 275
- Having a good legal framework is important to provide options to the organization. The information security manager should develop data preservation procedures with the advice and assistance of legal counsel, the organization’s managers and knowledgeable law enforcement officials to assure the procedures provide sufficient guidance to IT and security staff. With the assistance of these specialized resources, the information security manager can develop procedures to handle security events in a manner that preserves evidence, ensures legally sufficient chain of custody, and is appropriate to meet business objectives. There are a few basic actions the information systems staff must understand. This includes doing nothing that could change/modify/contaminate potential or actual evidence. Trained forensics personnel can inspect computer systems that have been attacked, but if the organization’s personnel contaminate the information, the data may not be admissible in a court of law and/or the forensics staff may be unable to use the data in investigating an incident. Computer forensics, gathering and handling information and physical objects relevant to a security incident in a systematic manner so that they can be used as evidence in a court of law should usually be performed by a specially trained staff, third-party specialists, security incident response team or law enforcement officials. Review Manual Reference Pages: pg. 278
- Content to Emphasize: The information security manager should understand that any contamination of evidence following an intrusion could prevent an organization prosecuting a perpetrator and limit its options. In addition, the modification of data can inhibit computer forensic activity necessary to identify the perpetrator and all the changes and effects resulting from an attack. It may also preclude the possibility of identifying how the attack occurred, and how the security program should be changed and enhanced to reduce the risk of a similar attack in the future. The usual recommendation for a computer that has been compromised is to disconnect the power to maximize the preservation of evidence on the hard disk. This is not universally accepted as the best solution, and the information security manager will need to establish the most appropriate approach for their organization and train personnel in the appropriate procedures. Whichever procedure is used to secure a compromised system, trained personnel must use forensic tools to create a bit-by-bit copy of any evidence that may exist on hard drives and other media to ensure legal admissibility. To avoid the potential for alteration or destruction of incident-related data, any testing or data analysis should be conducted using this copy. The original should be given to a designated evidence custodian who must store it in a safe location. The original media must remain unchanged and a record of who has had custody of it—the chain of custody—must be maintained for the custody to be admissible in court. Review Manual Reference Page: pgs. 278 - 279
- Content to Emphasize: The information security manager should manage postevent reviews to learn from each incident and the resulting response and recovery effort and to use the information to improve the organization’s response and recovery procedures. The information security manager may perform postevent reviews to identify causes and corrective actions with the help of third-party specialists if detailed forensic skills are needed. Review Manual Reference Page: pg. 279
- The American National Standards Institute (ANSI) has awarded accreditation under ISO/IEC 17024 to the Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certification programs. ANSI reaccredited these ISACA programs in 2008. ANSI’s accreditation: Promotes the unique qualifications and expertise our certifications provide Protects the integrity of our certifications and provides legal defensibility Enhances consumer and public confidence in the certifications and the people who hold them Facilitates the mobility of certified individuals across borders or industries Accreditation by ANSI signifies that ISACA’s procedures meet ANSI’s essential requirements for openness, balance, consensus and due process. To maintain ANSI accreditation, certification bodies such as ISACA are required to consistently adhere to a set of requirements or procedures related to quality, openness and due process. The American National Standards Institute (ANSI) is a private, nonprofit organization that administers and coordinates the US voluntary standardization and conformity assessment system. Its mission is to enhance both the global competitiveness of US business and the US quality of life by promoting and facilitating voluntary consensus standards and conformity assessments systems, and safeguarding their integrity. Importantly, this accreditation and adherence to ISO/IEC 17024 is being used as an industry benchmark. For example, the U.S. Department of Defense (DoD), to ensure a knowledgeable and skilled workforce, has developed a directive that requires every full and part-time military service member, defense contractor, civilian and foreign employee with privileged access to a DoD system, regardless of job series or occupational specialty, to obtain a commercial certification credential that has been accredited by the American national Standards Institute (ANSI). With this accreditation, we anticipate that significant opportunities for CISMs will continue to open in the US, and we believe it will be a strong motivator for similar recognition by governmental entities outside the US.