EXECUTIVE SUMMARY
GOVERNANCE
ROLES
OPERATIONS
INCIDENT RESPONSE PROCESS
100

What page does the Executive Summary start on?

What is Page 1

100

Who hosts the Cybersecurity Incident Response Team (CSIRT) processes?

Who is the Chief Information Security Officer, CISO

100

Performs incident handling activities, including incident investigation, incident analysis, runbook execution, mitigation requirements determination, remediation oversight, incident monitoring, and accurate documentation of all incident response activities.

Who is the Incident Response Analysts (IR Handler)

100

Any observable occurrence in a system or network; these may originate on an individual system, network, security device, or other device.

What is an Event

100

If the analysis determines that the alert qualifies as an event, a ticket is opened in the what?

What is the CSOC Ticketing System

200

SCE established and maintains a what strategy.

What is Defense-in-depth
200

What are the two types of Cybersecurity & Intelligence Goals?

What is Proactive and Responsive goals

200

Provides administrative support to IR Handler and CSIRT Team Leads during incident response, including organization and facilitation of stakeholder coordination calls, activation of CSIRT members, distribution of written notifications to stakeholders, and tracking of tasks throughout the response.

Who is the Cybersecurity Incident Response Team Coordinator

200

A suspected or detected compromise or imminent threat of compromise to the confidentiality, availability, or integrity of SCE’s IT systems or non-publicly available data that it maintains.

What is an Incident

200

For significant events that could likely escalate to an incident, a what is required.

What is a Pre-Incident Notification

300

SCE has aligned the Cybersecurity Incident Response Plan with what following three capabilities.

What is Governance, Organization, and Operations

300

All cyber incident declarations and investigations within the SCE computing environment is the sole responsibility of the what organization?

What is CSOC

300

Provides necessary changes to cybersecurity tools and may aid in providing additional research, data, or assistance during the incident life cycle.

Who is the Cybersecurity Engineers

300

How many different SCRAL levels are there?

What is 5; Low, Guarded, Elevated, Substantial, Severe

300

The process for distributing written notifications to internal stakeholders can be found in what?

What is Appendix I – CSIRT Written Notification Process

400

The company’s transmission and distribution grid are a key element of the United States’ critical infrastructure as defined by what?

What is Presidential Policy Directive (PPD) 21

400

The CSIRP will be tested BLANK at a minimum?

What is Annually

400

Coordinates all incident-handling activities. The activities include, but are not limited to, incident validation, resource coordination, the primary contact for internal and external communications regarding incidents, impact assessment, documentation verification, and incident closure.

Who is the Cybersecurity Incident Response Team Lead

400

How many devices/systems impacted would be to have a Moderate Impact for the Incident Scope?

What is 6 to 10?

400

These what are designed to include a small, targeted number of stakeholders who will help evaluate the situation and provide feedback on actions taken and next steps.

What are Coordination Calls

500

Management of cybersecurity events and incidents (as defined in Section what)?

What is 4

500

Regulatory evidentiary requirements of test incidents and exercises are maintained by who?

Who is Business Resiliency

500

Provides resource allocation, briefs executive leadership or the Incident Support Team through their roles in the IT IMT organization, assesses business impact, and makes decisions regarding incident handling.

Who is the Cybersecurity Management

500

What are the 4 stages of the Cybersecurity Event and Incident Management Process Flow

What is

1. Detection

2. Analysis

3. Containment, Eradication, Recovery

4. Post-Incident Activity

500

In Post-Incident Activity, the CSOC team, along with input from supporting technical and external resources will complete a BLANK and BLANK reports.

What is After-Action and Lessons Learned reports

M
e
n
u