StudyDaddy Computer Science Note: can u pls do it in APA format

Note: can u pls do it in APA format

ISOL 533 - InfoSec urity & R isk Management Computer Incident Response Team Plan University of The Cumberlands Purpose This plan was developed for He alth Network, Inc. (Health Network) and it is classified as the confidential property of that entity. Due to the sensitive nature of the information contained herein, this plan is available only to those persons who have been designated as members of one o r more incident management teams, or who otherwise play a direct role in the incident response and recovery processes . Policy This document discusses the steps taken by the Computer Incident Response Team during an incident . 1) The person who discovers the incident will call the IT Incident Response department . 2) The IT Incident Response department will create a ticket in the Incident Response database and document: a) The name of the caller. b) Time of the call. c) Contact information about the caller. d) The nature of the incident. e) What equipment or persons were involved? f) Location of equipment or persons involved. g) How the incident was detected. h) When the event was first noticed that supported the idea that the incident occurred. Incidents will be classified as eit her Physical or Electronic. The security department will handle all Physical incidents. The IT department will handle all Electronic incidents. 3) If the incident is validated , the IT Incident Response department will contact the following offices , as app ropriate , with details from the Incident Response database, to ensure they are aware of the incident: a) Incident Response manager (via both email and phone messages) b) The security department (via both email and phone messages) c) LAN/W AN and Intrusion detection monitoring personnel (via phone) d) Affected system administrator (via phone) e) Affected database administrator (via phone) 4) The Incident Response department will research the Incident knowledge -base and add the following to the Incident Response ticket: a) Is th e equipment affected classified as business critical? b) Th e Risk Factor/Impact and RTO of the systems affected ? c) Name of system being targeted, along with operating system, IP address, and location. d) IP address and any information about the origin of the at tack. ISOL 533 - InfoSec urity & R isk Management Computer Incident Response Team Plan University of The Cumberlands 5) The Incident Response manager will determine which response teams will be mobilized and contact the IT Incident Response department to have them contact the team members. 6) The c ontacted Response T eam members will meet or discuss the situation over th e telephone and determine a response strategy. a) Is the incident real or perceived? b) Is the incident still in progress? c) What data or property is threatened and how critical is it? d) What is the impact on the business should the attack succeed? Critical, Maj or, Minor ? e) What system or systems are targeted, where are they located physically and on the network? f) Is the incident inside the trusted network? g) Is the response urgent? h) Can the incident be quickly contained? i) Will the response alert the attacker and if so, how will the response proceed ? j) What type of incident is this? Example: virus, worm, intrusion, abuse, damage. 7) The Response Team lead will update the Incident Response ticket. The incident will be categorized into the highest applicable level of on e of the following categories: a) Category one - A threat to public safety or life. b) Category two - A threat to sensitive data c) Category three - A threat to computer systems d) Category four - A disruption of services 8) Response Team members will follow one of the established Incident Response procedures (if a procedure does not exist, the Response Team will develop and document the new procedure). The following procedures are currently active. a) Worm response procedure b) Virus response procedure c) System failure pr ocedure d) Active intrusion response procedure - Is critical data at risk? e) Inactive Intrusion response procedure f) System abuse procedure g) Property theft response procedure h) Website denial of service response procedure i) Database or file denial of service res ponse procedure j) Spyware response procedure. If a new procedure is developed, it will be forwarded to the Incident Response manager once the incident is resolved so the manager may add it to this document . ISOL 533 - InfoSec urity & R isk Management Computer Incident Response Team Plan University of The Cumberlands 9) Response Team members will use forensic techniqu es, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel should be performing interviews or exa mining evidence, and the authorized personnel may vary by situation and the organization. 10) Response Team members will recommend changes to the Response Team manager to prevent the occurrence from happening again or infecting other systems. 11) Response Team m embers will restore the affected system(s) to the uninfected state. They may do any or more of the following: a) Re -install the affected system(s) from scratch and restore data from backups if necessary. Preserve evidence before doing this. b) Make users chang e passwords if passwords may have been sniffed. c) Be sure the system has been hardened by turning off or uninstalling unused services. d) Be sure the system is fully patched. e) Be sure real time virus protection and intrusion detection is running. f) Be sure the system is logging the correct events and to the proper level. 12) Response Team members will update the ticket with the following : a) How the incident was discovered. b) The category of the incident. c) How the incident occurred, whether through email, firewall, e tc. d) Where the attack came from, such as IP addresses and other related information about the attacker. e) What the response plan was. f) What was done in response? g) Whether the response was effective. 13) Response Team members will: a) Make copies of logs, email, a nd other communication b) Update the ticket with a list of all witnesses c) Will k eep evidence as long as necessary to complete prosecution and beyond in case of an appeal. 14) The Response Team manager will no tify the police and other appropriate agencies if prose cution of the intruder is possible. 15) The Response Team manager will a ssess the damage to the organization and estimate both the damage cost and the cost of the containment efforts. 16) The Response Team manager will re view the response , update policies , and take preventative steps so the intrusion can't happen again. a) Consider whether an additional policy could have prevented the intrusion. ISOL 533 - InfoSec urity & R isk Management Computer Incident Response Team Plan University of The Cumberlands b) Consider whether a procedure or policy was not followed which allowed the intrusion, and then consider what could be ch anged to ensure that the procedure or policy is followed in the future. c) Was the incident response appropriate? How could it be improved? d) Was every appropriate party informed in a timely manner? e) Were the incident -response procedures detailed and did they cover the entire situation? How can they be improved? f) Have changes been made to prevent a re -infection? Have all systems been patched, systems locked down, passwords changed, anti -virus updated, email policies set, etc.? g) Have changes been made to preven t a new and similar infection? h) Should any security policies be updated? i) What lessons have been learned from this experience? ISOL 533 - InfoSec urity & R isk Management Computer Incident Response Team Plan University of The Cumberlands Appendix A – Incident Response Worksheet Complete this worksheet for any reported incidents Preparation : What tools, applicat ions, laptops, and communication devices were needed to address the Computer Incident Response for this specific breach? Identification : When an incident is reported, it must be identified, classified, and documented. During this step, the following inform ation is needed:  Identify the nature of the incident o What Business Process was impacted o What threat was identified o What weakness was identified o What risk was identified o What was the Risk Factor/Impact of the incident o What was the RTO , MTD and RPO assigned to the business process o What hardware, software, database and other resource were impacted Containment : The immediate objective is to limit the scope and magnitude of the computer/security - related incident as quickly as possible, rather than allow the inc ident to continue to gain evidence for identifying and/or prosecuting the perpetrator.  What needed to be done to limit the scope of the incident Eradication : The next priority is to remove the computer/security -related incident or breach’s effects.  What was done to mitigate the risk of the incident Recovery : Recovery is specific to bringing back into production those IT systems, applications, and assets that were affected by the security -related incident.  What was done to recover the IT systems o What pro cedures were used and were they covered in the Disaster Recovery Plan o Was the Business Continuity Plan executed in response to this incident o Were any issues identified that would lead to updates to the BIA, BCP or DR plans.

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!