SC570: BSI™ Incident Practitioner

Agenda:

• Phone behavior incl. non-technical measures
  • Service-oriented phone call
  • Non-technical measures
    
    
• Threats and attack forms and overview of the current threat landscape
  • Term definitions (threat, vulnerability, risk, attacker etc.)
  • Types of attacks or attack forms
  • Causes of attacks
  • Different attack methods
  • Phases of a cyber attack
  • Top current attack forms or current threat landscape
  • Detection of attacks or infections
  • Action recommendations for the incident practitioner
  • Limits of assistance by the incident practitioner
    
    
• Standard procedure workflow
  • Preparation for potential incidents
  • Identification of the IT security incident
  • Containment of the damage extent
  • Determination of the causes or triggers of the IT security incident
  • Recovery of systems
  • Documentation of the IT security incident
    
    
• Handling of IT security incidents e.g. phishing incidents, ransomware incidents
  • Introduction to phishing, phishing channels, possible consequences of phishing
  • Additional information on the most common consequences and statistics on economic damage incurred
  • Detection of Phishing Attacks, Response to Successful Phishing Attacks
  • Introduction to ransomware, current ransomware situation
  • Typical approach of ransomware attackers
  • Managing ransomware incidents
  • Legal issues
    
    
• Remote support
  • Remote or on-site support
  • Communication with the customer
  • Connection and access options
  • Data collection and analysis options
    
    
• Incident handling of IT systems "beyond usual office applications"
  • IT systems are also used beyond usual office applications
  • Examples of architectures. Which technology is used?
  • What are possible threats to control technology?
  • Limits of the task
  • Standard procedure workflow
  • Attack scenarios and immediate or countermeasures
  • Limits of analysis
    
    
• After an incident is before an incident
  • Sensitization of the company for preventive security measures
  • Building security awareness
  • Analysis of business processes
  • Building a security and emergency concept
  • Design of exercises
  • Providing info package through CSN
  • Maintaining the competence of the incident practitioner

Objectives:

In this 2.5-day training you will be prepared for the Incident Practitioner certification exam and will be examined in writing and orally on the last (half) training day.

The advanced training provides you with the official curriculum for acquiring the knowledge and skills you need as part of your work as an Incident Practitioner.

In the group you will develop your skills for handling information security incidents and consolidate your knowledge of Cyber Security.

Following the workshop, all course participants receive the work results as handouts, the official training materials and proof of participation in the training program.

As a registered training company with the BSI™, qSkills™ offers course participants the opportunity to combine the advanced training with the examination workshop at the same training location.

Note: In contrast to the Incident Expert certification exam (SC580), the Incident Practitioner certification exam takes place directly on the third training day at qSkills™ on-site. While participation in the first two training days can take place both in-person and online, participation in the last half day (examination workshop) is only possible in-person.

Target audience:

The course SC570 Incident Practitioner of the Cyber Security Network of the BSI™ is specifically designed for participants who already possess knowledge and practice in the field of Cyber Security and are now seeking registration as an Incident Practitioner in the CSN of the BSI™:

• IT Specialists
• IT Technicians/Theorists
• ISMS Experts

Course participants are often decision-makers, consultants, and employees who already have expertise in the areas of IT Security and IT Technology.

Prerequisites:

Description:

Other Info:

Examination Framework Conditions
The candidate must arrive in the designated training room 15 minutes before the scheduled examination time. In case of later arrival, access and participation may be denied by the examiner. The candidate must provide identification with a photo ID on the examination day. Approved documents include e.g. identity card, passport, driver's license.

Permitted Aids During the Examination
Candidates may not use any aids, reference materials, blank sheets or notepads. Furthermore, no communication, monitoring or recording devices (e.g. mobile phones, tablets, smart glasses, smartwatches or other mobile devices) may be used. All electronic devices must be switched off during the examination. Otherwise, an attempt at deception may be assumed and the candidate may be excluded from the examination.

Examination Foundation
The objective of the examination is that the candidate demonstrates his technical and personal competence as well as the competence acquired through the basic course and additional training, which he requires for work as an Incident Practitioner, to an independent third party i.e. an examiner or experienced Incident Expert. Foundations for the examination are:

• The IT Security Incident Response Guide for Digital First Responders as well as
• The IT Security Incident Response Guide for Incident Practitioners and Incident Experts, here the chapters for the Incident Practitioner.

Examination Format and Language
The examination consists of two parts (written and oral), a

• 15-minute knowledge assessment (written multiple-choice examination) and a
• 15-minute practical assessment (oral examination workshop).

The oral examination takes place together with all other candidates in a group. Thus the other participants have additional learning success through the presentation and processing of the case studies. The examination is offered in German language.

Knowledge Assessment The written part of the examination comprises 20 multiple-choice questions, which must be processed within 15 minutes without aids. The correct statements must be marked. Each multiple-choice question has four answer options.
There is the possibility that

• all statements are correct,
• one statement is correct,
• multiple statements are correct,
• no statement is correct.

For each correctly answered multiple-choice question there is one point. An examination question is considered correctly answered when all answers are correctly marked. If one answer is incorrect, the entire question is considered not correctly answered (zero points). There are no point deductions. For written examinations (on paper) it must be noted that accidentally incorrectly marked answers must be clearly recognizable and the correct answer was marked. In case of doubt, the question will be evaluated as incorrect.

Practical Assessment
At the beginning of the oral examination each participant receives an envelope with a case study, which he should present to the group after a familiarization time of 15 minutes. The sequence of the oral examinations is noted on the case studies and is thus randomly determined.
The oral examination takes place together with all other candidates, so that the participants have additional learning success through the presentation and processing of the case studies of the other participants.
During the oral examination the examiner notes whether the candidate has addressed all aspects of the solution pattern. The evaluation is based on the following evaluation grid for the practical example:

• The problem statement of the case study has been correctly reproduced.
• The problem has been correctly delimited and analyzed.
• Action recommendations are practicable and comprehensibly reproduced.
• The procedure corresponds to the telephone guide in the IT Security Incident Response Guide for Digital First Responders.
• The examiner has the possibility to ask additional questions.

For the oral examination a maximum of 20 points can be awarded.

Examination Evaluation
To pass the examination for Incident Practitioner at least 60% of all points must be achieved. I.e. the examination is considered passed when 24 points out of the 40 possible points were achieved in both parts.

Examination Retake
If a candidate has not achieved the required minimum score or if there are reasons why the examination result is not valid, a one-time retake of the examination can be utilized. Individual parts of the examination generally cannot be repeated separately. A second retake of the examination is not possible.

Since October 2021 there is the CSN concept DIGITAL RESCUE CHAIN consisting of:

• Self-help assistance (website)
• CSN hotline contact point
• Digital First Responder qualification
• Incident Practitioner qualification according to BSI™/ACS standard
• Incident Expert qualification according to BSI™/ACS standard
• IT service provider with a team of Incident Experts

qSkills™ has been an active partner of the Alliance for Cybersecurity (ACS) since its founding and supports the BSI™ as a training expert among other things with the training of security officers to Incident Practitioners.

The BSI™ Incident Practitioners are, alongside the BSI™ Incident Experts, a significant part of the Digital Rescue Chain for victims of cyberattacks.