An Incident Manager will determine the path an investigation should take based on considerable real world incident handling experience and the pertinent information currently available. As greater information becomes available, it is their responsibility to continuously re-evaluate the situation and make any necessary changes from minor course corrections to a total change in direction if that is required. To stay in control of a rapidly changing situation requires strong leadership and interpersonal skills as well as sufficient technical capabilities to understand reports and findings being presented back from other team members. It is also the responsibility of the Incident Manager to determine what additional skills need to be brought into the team to ensure the response programme runs effectively and efficiently. The Incident Manager will be the key point of contact with the client organisation and possibly third parties such as regulators, government or media organisations – as such they will need the ability to stay calm and focussed while distilling the key facts of the engagement to explain both to board level and technical customer within the client organisation. An Incident Manager will be responsible for leading and presenting all elements of the Incident Response project lifecycle including identification, containment and eradication. They will need to be aware of any relevant legal and regulatory matters. An Incident Manager’s role is expected to be fulfilled by highly experienced personnel who have spent considerable time working on incident response engagements. It is likely that many will have previously (or may still be) practitioners in one of the technical disciplines associated within incident response, however this is not a mandatory prerequisite. It is, however, essential that those in this role have sufficiently strong and broad technical skills to be able to play a key part in understanding the details of the incident in order to make accurate, informed decisions at both the strategic and technical team lead levels.
The CREST Certified Incident Manager (CCIM) Examination
The (CCIM) examination tests a candidates’ knowledge across a range of areas wider than traditional intrusion analysis including conventional incident response technical tasks and also a wide range of general technology areas to ensure they are competent to assess and handle a range of potential incident scenarios. The detail in these areas is high level but broad with “an awareness of” being a good description of the level of detail required. The Syllabus for the CCIM examination is available from the link below and specifically, Appendix G focuses in detail on the core response manager skills that will be assessed. The level of detail required here is greater as this is assumed to be the core domain of knowledge for an incident manager. Particular emphasis is placed on the following skill sets:
- Client management
- Containment techniques
- Project management and time management
- Evidence handling
- Communications
- Recovery and remediation
- On-going technical prevention
- Judgement making and critical reasoning
- Written skills
- Third Parties
- Reporting Agencies
- Threat intelligence, Contextualisation Attribution and Motivation
- Industry Best Practice
- Risk Analysis
- Attack & compromise lifecycle
- Legal and Jurisdictional Issues
- Ethics
- Technical vulnerability root cause identification
- Physical threats
- Insider attacks
Examination Format
The CCIM examination has two components:
- multiple choice
- written, comprising a selection of long form and scenario based questions that require detailed answers
To pass the exam, the candidate must pass both sections. If a candidate fails an element, the entire examination must be retaken.
The examination is delivered in two parts (see Notes for Candidates) with Part 1 taken first and Part 2 must be taken within three months of Part 1.
You can download the following documents from the links below:
Syllabus for CCIM Examination
Notes for Candidates to aid examination preparation
Cost
For costs and availability please refer to individual country booking. The examination is delivered at Pearson Vue centres.
Training Providers
In our mission to support individuals in their examination preparation and professional growth, we collaborate with training providers. Search for a Training Provider using our Training Provider Search.
Recommended Preparation Material
The CREST Assessors panel regularly identifies common themes and consolidates common questions and answers from candidates and from the industry in relation to the CREST certification examinations. Candidates are advised to familiarise themselves with these, although they are free to disregard them if they wish.
CREST recommends that candidates familiarise themselves with the content in our FAQS which has been created specifically for those attempting a practical examination.
The following material and media have been cited as helpful preparation for this examination by previous candidates:
Websites
http://www.sans.org/reading-room/whitepapers/incident/creating-managing-incident-response-team-large-company-1821
http://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Case Studies
https://www.sans.org/reading-room/whitepapers/casestudies
Useful Information for Candidates
Details of the Logistics and Timings of CREST examinations can be found in the Examination Preparation pages for your country of choice.
CREST’s Policy for Candidates requiring special arrangements including additional time to accommodate a medical condition (including examinations delivered via Pearson Vue.
Terms and Conditions for CREST Examinations (includes hard disk drive wiping policy)
