The result of the post-incident review would be our lessons learned report. What went well, what went wrong, and what can we do next time to improve our incident response. The electronic evidence, the areas effected and possibly who attacked us would already be covered reporting and possibly in response.

The RTO (Recovery time objective) is when we have restored the system hardware. Us getting the system back into production is the MTD (Maximum Tolerable Downtime). When the system is completely offline is a distractor, and when the system software is restored is the WRT (Work Recovery Time). The maximum amount of time we can be down, must not exceed the time it takes us to rebuild the hardware, install the software and test the system (MTD ≥ RTO + WRT).

Bob should establish good communication with the steering committee first. They make most of the Information Security decisions and prioritization. While he may at some point need to develop the security architecture, do an enterprise wide risk analysis or hire more staff, we have no information about the need for any of those in the question and regardless we would always want to build report and communication channels with the steering committee and senior management.

We would want all of these for our risk management program, but us being able to detect new risks would be the MOST helpful.

Senior management sets our risk appetite and residual risk is what is what is left after we have implemented the countermeasures and senior management has decided it is not worth mitigating the risk anymore. Inherent risk is the unmitigated risk, control risk is when control fail, and audit risk is how auditors approach their work.

For areas that are considered critical or high security, we would want a higher than normal FRR (False rejection rate). This means that we may reject slightly more authorized employees, but it is worth it because we also get a lot less FAR (False accept rate) errors. Lower or exactly at the CER (Crossover Error Rate), we would want for normal security areas, but for not for areas that are high or critical security.

We would most often transfer risks with low probability and high impact. This could be flooding of our data center. If we chose to implement countermeasures it is often cost prohibitive. We may not be able to eliminate the risk and accepting the risk could have a catastrophic impact if it actualized.

The best protection against any type of phishing (normal, spear, whale, vishing) is user awareness training. We would also implement the email filtering, and it would help, but it is less effective than user awareness. Limiting emails to the internal network would not do anything to prevent phishing, neither would firewall filtering.

It is MOST important that we know who all the data owners are, they would know how to classify their information. We would classify the data and do a risk assessment, but we need the data owners for that. Job roles is a distractor and has nothing to do with the question.

We would want the intranet server on our internal network, where it would be accessible for our employees and inaccessible to external sources. It would not be appropriate to place the intranet server attached to a firewall, behind an external router, or in the DMZ, we would want in further inside our internal network and not so close to the external network.