Free Essay

Incident Response Plan Example

In:

Submitted By zhaorx
Words 1230
Pages 5
Incident Response Plan Example
This document discusses the steps taken during an incident response plan. To create the plan, the steps in the following example should be replaced with contact information and specific courses of action for your organization.
1)The person who discovers the incident will call the grounds dispatch office. List possible sources of those who may discover the incident. The known sources should be provided with a contact procedure and contact list. Sources requiring contact information may be:
a)Helpdesk
b)Intrusion detection monitoring personnel
c)A system administrator
d)A firewall administrator
e)A business partner
f)A manager
g)The security department or a security person.
h)An outside source.
List all sources and check off whether they have contact information and procedures. Usually each source would contact one 24/7 reachable entity such as a grounds security office. Those in the IT department may have different contact procedures than those outside the IT department.
2)If the person discovering the incident is a member of the IT department or affected department, they will proceed to step 5.
3)If the person discovering the incident is not a member of the IT department or affected department, they will call the 24/7 reachable grounds security department at xxx-xxx.
4)The grounds security office will refer to the IT emergency contact list or effected department contact list and call the designated numbers in order on the list. The grounds security office will log:
a)The name of the caller.
b)Time of the call.
c)Contact information about the caller.
d)The nature of the incident.
e)What equipment or persons were involved?
f)Location of equipment or persons involved.
g)How the incident was detected.
h)When the event was first noticed that supported the idea that the incident occurred.
5)The IT staff member or affected department staff member who receives the call (or discovered the incident) will refer to their contact list for both management personnel to be contacted and incident response members to be contacted. The staff member will call those designated on the list. The staff member will contact the incident response manager using both email and phone messages while being sure other appropriate and backup personnel and designated managers are contacted. The staff member will log the information received in the same format as the grounds security office in the previous step. The staff member could possibly add the following:
a)Is the equipment affected business critical?
b)What is the severity of the potential impact?
c)Name of system being targeted, along with operating system, IP address, and location.
d)IP address and any information about the origin of the attack.
6)Contacted members of the response team will meet or discuss the situation over the telephone and determine a response strategy.
a)Is the incident real or perceived?
b)Is the incident still in progress?
c)What data or property is threatened and how critical is it?
d)What is the impact on the business should the attack succeed? Minimal, serious, or critical?
e)What system or systems are targeted, where are they located physically and on the network?
f)Is the incident inside the trusted network?
g)Is the response urgent?
h)Can the incident be quickly contained?
i)Will the response alert the attacker and do we care?
j)What type of incident is this? Example: virus, worm, intrusion, abuse, damage.
7)An incident ticket will be created. The incident will be categorized into the highest applicable level of one of the following categories:
a)Category one - A threat to public safety or life.
b)Category two - A threat to sensitive data
c)Category three - A threat to computer systems
d)Category four - A disruption of services
8)Team members will establish and follow one of the following procedures basing their response on the incident assessment:
a)Worm response procedure
b)Virus response procedure
c)System failure procedure
d)Active intrusion response procedure - Is critical data at risk?
e)Inactive Intrusion response procedure
f)System abuse procedure
g)Property theft response procedure
h)Website denial of service response procedure
i)Database or file denial of service response procedure
j)Spyware response procedure.
The team may create additional procedures which are not foreseen in this document. If there is no applicable procedure in place, the team must document what was done and later establish a procedure for the incident.
9)Team members will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel should be performing interviews or examining evidence, and the authorized personnel may vary by situation and the organization.
10)Team members will recommend changes to prevent the occurrence from happening again or infecting other systems.
11)Upon management approval, the changes will be implemented.
12)Team members will restore the affected system(s) to the uninfected state. They may do any or more of the following:
a)Re-install the affected system(s) from scratch and restore data from backups if necessary. Preserve evidence before doing this.
b)Make users change passwords if passwords may have been sniffed.
c)Be sure the system has been hardened by turning off or uninstalling unused services.
d)Be sure the system is fully patched.
e)Be sure real time virus protection and intrusion detection is running.
f)Be sure the system is logging the correct events and to the proper level.
13)Documentation—the following shall be documented:
a)How the incident was discovered.
b)The category of the incident.
c)How the incident occurred, whether through email, firewall, etc.
d)Where the attack came from, such as IP addresses and other related information about the attacker.
e)What the response plan was.
f)What was done in response?
g)Whether the response was effective.
14)Evidence Preservation—make copies of logs, email, and other communication. Keep lists of witnesses. Keep evidence as long as necessary to complete prosecution and beyond in case of an appeal.
15)Notify proper external agencies—notify the police and other appropriate agencies if prosecution of the intruder is possible. List the agencies and contact numbers here.
16)Assess damage and cost—assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts.
17)Review response and update policies—plan and take preventative steps so the intrusion can't happen again.
a)Consider whether an additional policy could have prevented the intrusion.
b)Consider whether a procedure or policy was not followed which allowed the intrusion, and then consider what could be changed to ensure that the procedure or policy is followed in the future.
c)Was the incident response appropriate? How could it be improved?
d)Was every appropriate party informed in a timely manner?
e)Were the incident-response procedures detailed and did they cover the entire situation? How can they be improved?
f)Have changes been made to prevent a re-infection? Have all systems been patched, systems locked down, passwords changed, anti-virus updated, email policies set, etc.?
g)Have changes been made to prevent a new and similar infection?
h)Should any security policies be updated?
i)What lessons have been learned from this experience?

Similar Documents

Premium Essay

Assignment

...Incident Response Plan Gurleen Kaur Sandhu Master of Information Systems Security and Management Concordia University of Edmonton 7128 Ada Boulevard Edmonton, AB gksandhu@student.concordia.ab.ca Abstract— In business oriented organizations, disasters can occur anytime if information security is jeopardized at some point of business operations. Whenever unplanned events happen, incident response plans are must for reducing the extremity and increasing the chances of quick resolution with minimal damage. An incident response plan is an integral part for an enterprise for reducing negative publicity and increasing the confidence of corporate staff.This paper provides steps constituting and utilizing Incident Response Plan. INTRODUCTION As said by an American lawyer Robert Mueller “There are only two types of companies:those that have been hacked and those that will be.” When an organization depends on technology based systems to remain practical,information security and risk management become an unavoidable part of the economic basis for making dicisions in a firm. In this challenging environment of increasing technology,data breaches are also increasing that require enterprises to protect proprietary data and implementing effective measures to prevent a data insecurity. Threats and vulnerabilities, in one form or another, will always affect information technology. Incident is an adverse event that negatively impacts the confidentiality, integrity and availability of...

Words: 1541 - Pages: 7

Premium Essay

Preparedness and Mitigation Plan Analysis

...This type of organization because of a job working at a campus with the security department. Having mitigation plan can be very important because of the amount of students that are on the campus they need to feel safe in their environment. In the critical incident management plan that the campus defines the authority, defines the terminology used in plan and in critical incidents, it also defines procedures for the delivery of timely response to incidents, and also defines the roles and responsibilities given to everyone. A brief over view of the critical incident plan involves critical incident reporting which should ideally be reported as soon as possible to a supervisor. The critical Incident action plan for the British Columbia Institute of Technology assumes immediate response, this includes police and fire. Then the plan has employee development along with the communication part of the plan, this is where pre incident communication will involve educating the staff and students. The next step of the incident plan involves Incident response evaluation then the ongoing work leads to training, where they train the staff to be ready for a proper incident response. One main exclusion they have left out of the critical incident plan would be the role of the parents in case of an emergency situation. After reading through this critical incident plan it seems like it is more focused towards if any students were to get...

Words: 725 - Pages: 3

Premium Essay

Uniformed Services Unit 15

...P6- Explain the main considerations when planning and preparing for major incidents M4- Explain the role of the organisations involved in planning for major incidents The purpose of emergency planning is to provide an integrated response to major incidents with a view to bringing about a successful end to an incident. Planning and preparation for emergencies and possible major incidents forms a large part of the work of the emergency services and other public services. Emergency plans are drawn up so that, in the event of a major incident, the public services can respond efficiently because they are prepared for it. In this assignment I will be explaining the main considerations when planning and preparing for major incidents and also the role of the organisations involved in planning for major incidents. When planning for an emergency personnel should; * Know their roles- This means that the person knows what they are required to do * Be competent to carry out the task- This means they are able to carry out their job efficiently and with little guidance. * Have access to resources- They have all the equipment they need to be able to do their job. * Have confidence in other responders- This means that everyone in the team has confidence that everyone in the team is competent at their role. When emergency planning is undertaken by category 1 responders, a great deal of thought is given to identifying possible risks. A risk is a hazard or threat that could cause...

Words: 3088 - Pages: 13

Premium Essay

Math

...GUIDE FOR MAJOR HAZARD FACILITIES: EMERGENCY PLANS Safe Work Australia is an Australian Government statutory agency established in 2009. Safe Work Australia consists of representatives of the Commonwealth, state and territory governments, the Australian Council of Trade Unions, the Australian Chamber of Commerce and Industry and the Australian Industry Group. Safe Work Australia works with the Commonwealth, state and territory governments to improve work health and safety and workers’ compensation arrangements. Safe Work Australia is a national policy body, not a regulator of work health and safety. The Commonwealth, states and territories have responsibility for regulating and enforcing work health and safety laws in their jurisdiction. ISBN 978-0-642-33376-6 [PDF] ISBN 978-0-642-33377-3 [RTF] Creative Commons [pic] Except for the Safe Work Australia logo this copyright work is licensed under a Creative Commons Attribution-Noncommercial 3.0 Australia licence. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc/3.0/au/ In essence, you are free to copy, communicate and adapt the work for non commercial purposes, as long as you attribute the work to Safe Work Australia and abide by the other licence terms. Contact information Safe Work Australia Phone: +61 2 6121 5317 Email: info@safeworkaustralia.gov.au Website: www.safeworkaustralia.gov.au Table...

Words: 18593 - Pages: 75

Premium Essay

Sample Tester Page

...Sample Email to myself Special Publication 800-61 Revision 2 Computer Security Incident Handling Guide Recommendations of the National Institute of Standards and Technology Paul Cichonski Tom Millar Tim Grance Karen Scarfone Computer Security Incident Handling Guide Recommendations of the National Institute of Standards and Technology Paul Cichonski Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD Tom Millar United States Computer Emergency Readiness Team National Cyber Security Division Department of Homeland Security Tim Grance Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD Karen Scarfone Scarfone Cybersecurity NIST Special Publication 800-61 Revision 2 COMPUTER SECURITY August 2012 U.S. Department of Commerce Rebecca Blank, Acting Secretary National Institute of Standards and Technology Patrick D. Gallagher, Under Secretary of Commerce for Standards and Technology and Director Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses...

Words: 32495 - Pages: 130

Premium Essay

Provincial Incident Management System

... | Table of Content Chapter Page 1. WHAT IS THE PROVINCIAL INCIDENT MANAGEMENT SYSTEM? 4 2. INTRODUCTION 5 3. CONCEPTS AND PRINCIPLES 5 4. OVERVIEW OF PIMS COMPONENTS 6 4.1. PREPAREDNESS 6 4.2. COMMUNICATIONS & INFORMATION MANAGEMENT 6 4.3 RESOURCE MANAGEMENT 6 4.4 COMMAND & MANAGEMENT 7 4.5 ONGOING MANAGEMENT & MAINTENANCE 7 5. COMPONENT 1: PREPAREDNESS 8 1) UNIFIED APPROACH 8 2) LEVELS OF CAPABILITY 9 6. COMPONENT 2: COMMUNICATION AND INFORMATION MANAGEMENT 16 7. COMPONENT 3: RESOURCE MANAGEMENT 23 a) CONCEPTS AND PRINCIPLES 23 1) Concepts 23 2) Principles 23 a) Planning 24 b) Use of Agreements 24 c) Categorizing Resources 24 d) Resource Identification and Ordering 24 e) Effective Management of Resources 24 8. COMPONENT 4: COMMAND & MANAGEMENT 25 a) INCIDENT MANAGEMENT SYSTEM 25 b) MANAGEMENT CHARACTERISTICS 26 9. PIMS AND ITS RELATIONSHIP TO THE PROVINCIAL DM FRAMEWORK 28 |Distribution | At this stage limited to GPG OPS Workgroup members |WHAT IS THE PROVINCIAL INCIDENT MANAGEMENT SYSTEM? | The Provincial Incident Management System (PIMS) provides a systematic, proactive approach to guide departments and...

Words: 13459 - Pages: 54

Premium Essay

National Response Framework

...States conducts an all-hazards response in the five preparedness mission areas of prevention, protection, mitigation, response, and disaster recovery. NIMS * When would a Deputy Incident Commander (Deputy IC) be necessary? Give examples. * In The missing piece of NIMS: Teaching incident commanders how to function in the edge of Chaos, the author notes that first responders have to deal with a disaster situation already unfolding, and not “all the pieces fit together nicely.” The author writes about the Five Tenets of Working in Chaos. Please paraphrase each one using your own words. The National Incident Management System (NIMS) provides a master plan for departments and agencies of all levels of government, nongovernment and private sector agencies to work together to handle an event, natural disaster or man-made terrorist attack regardless of scope, reason, or location.3 The NIMS is the heart of the National Preparedness System (NPS) which is a collection of frameworks created to make the handling of disasters uniform. Emergency management personnel trained in NIMS will handle a terrorist attack in Washington, D.C. the same way that an Incident Commander is handling a massive hurricane on the Gulf Coast. Any disaster has an inherent level of chaos from the very beginning. Having a framework to follow prevents the first responders from adding to the confusion. If NIMS is considered the big picture, the playbook is the National Response Framework. The NRF is scalable...

Words: 2105 - Pages: 9

Free Essay

Fema Training

...systematic approach to incident management, including the Incident Command System, Multiagency Coordination Systems, and Public Information * A set of preparedness concepts and principles for all hazards * Essential principles for a common operating picture and interoperability of communications and information management * Standardized resource management procedures that enable coordination among different jurisdictions or organizations * Scalable so it may be used for all incidents (from day-to-day to large-scale) * A dynamic system that promotes ongoing management and maintenance | * A response plan * Only used during large-scale incidents * A communications plan * Only applicable to certain emergency management/incident response personnel * Only the Incident Command System or an organization chart * A static system | Correct. Review the feedback below. When you are ready to proceed, click on the Next button. Review the correct answers below: CONSISTENT WITH NIMS: A jurisdiction is inventorying and categorizing resources (e.g, personnel, equipment, supplies, and facilities) to establish and verify levels of capability prior to an incident. Explanation: Inventorying and categorizing of resources is a critical element of preparedness because it: * Establishes and verifies the levels of capability needed based on risk and hazard assessments prior to an incident. * Identifies and verifies that emergency response resources possess the...

Words: 6379 - Pages: 26

Premium Essay

Sfty 350

...Response Plan to Aircraft Emergencies Karl M. Campbell Safety 350 Embry Riddle Aeronautical University Response Plan to Aircraft Emergencies Geilenkirchen (GK) Air Base, Germany, is situated in a unique location at the borders of Germany and the Netherlands. On the West side of the base, right off the end of the runway is a road that represents that border line between the two countries. So besides having a Response Plan for Emergencies between the on-base agencies and off-base agencies you have to have some sort of plan between countries. Currently the plan at Geilenkirchen Air Base describes the responsibilities and functions of the E-3A Component personnel involved in the emergency response in the event of an aircraft emergency at the NATO Air Base (NAB) Geilenkirchen (Van Happen, 2012). The plan is used in exercises and real live responses to accidents/incidents involving aircraft. The plan is coordinated with the municipalities of the surrounding Districts of Heinsberg, Germany and the Districts of Onderbanken, the Netherlands for mutual aid support by the civil emergency services surrounding the base. I will now analyze the Response Plan for Emergencies, E-3A Plan 3.6-8, at Geilenkirchen Air Base, Germany. The first part, Section 1, of E-3A Plan 3.6-8 goes over the Definitions and Terminology for all personnel to understand. It covers the Classifications of Aircraft Emergencies in which emergency services would be required. The classifications include:...

Words: 2884 - Pages: 12

Premium Essay

Securitymeasurespaperweek05

...knowledgeable in the area of network management. They also need to develop background outlines of the environment, so that they can devise effective and efficient backup systems. For these reasons, it is important to undertake an auditing process, which helps monitor the utilization and the performance of the security plan and the standard operating procedure. Further, there should be a high level of awareness already in place, before the implementation and deployment of an incident response squad (Ellis & Speed, 2001). This paper will discuss recommendations on the ways of minimizing or averting security incidences, the assembly of a CSIRT. Further, the paper will define the threat response plan. Minimizing the Severity and the Number of Security Breaches Indeed, the prevention of security incidents is a major milestone for the organization. However, it is not possible to eliminate all the security threats facing the organization. Further, after the incidence of a risk event, minimizing its impact should be a major priority. The process entails the following processes: establishing and enforcing all procedures and policies; upholding the support of incident mitigation and security policies from the management; assessing for organizational vulnerabilities continually and checking all computer networks and systems, to ensure that they are updated on threat elimination (Rhee, 2003). Other processes to be engaged include offering security coaching for end users and IT staffs...

Words: 994 - Pages: 4

Premium Essay

Case Study: Tinker V. Des Moines Independent Community Schools

...growing epidemic is the ease of access and the ability for the perpetrators to hide behind a keyboard in the comfort of their own home. Research indicates that in 2013 nearly 15% of high school students in grades 9-12 were bullied electronically. This raises cause for concern and the importance of increased vigilance and education need to be addressed by every educator and administrator. Measures need to be taken to prevent cyberbullying from occurring and plans need to be put in place to protect those who have been...

Words: 2061 - Pages: 9

Premium Essay

Incident Response Team Case Study

...An incident response team is responsible for protecting an organization’s network and data making sure that it is secure. This team also needs to be able to quickly act upon and respond to a threat or attack to reduce, prevent, and or minimize any damages or losses during an incident. Where does this process begin? The first component of responding to an incident is identifying a trigger event or events that alert and information the response team to suspicious or malicious behavior or activity. This identification of a trigger needs to be done accurately to best prevent and resolve any possibility of a reoccurring attack, this allows for a more efficient and timely response to a threat. A trigger could result from a number of different things....

Words: 997 - Pages: 4

Free Essay

Lessons from Recent Disasters and the Development of Disaster Medical Assistance Teams in Taiwan

...SARS in 2003. These incidents created demands that challenged our medical infrastructures. The emergency medical preparedness programs evolved a lot in response to medical surge in these disasters. In our system, several characteristics should be clarified in the beginning: 1. In our multiple casualty incident plans require to send hospital doctors to the incidents immediately to save lives, disregarding what they can do or if the scene is under control. The emergency medical services system of Taiwan was established in 1995, and the fire fighters were trained to be emergency medical technicians (EMT) to provide pre-hospital medical care, people still believe that physicians at the scene can provide better medical care than the fire fighters/EMT. An experienced physician at the rescue scene may do a better job in triage and arranging definite medical care site, but not every hospital physician has street sense and proficiency in trauma care skills. When the personnel in emergency room of a smaller hospital were deployed to the scene, it jeopardized the capacity of hospitals for receiving patients. 2. The plans tend to call back all the personnel immediately. The first step of a response plan of an organization is usually to call back all the off duty personnel by all means. This procedure is self-depicted because it guarantee there will be adequate human resources for the following several hours. It may sometimes prematurely deplete the resources, for example the manpower for...

Words: 1258 - Pages: 6

Premium Essay

Anything

...International Convention on Oil Pollution Preparedness, Response and Co-Operation, 1990 (London, 30 November 1990) THE PARTIES TO THE PRESENT CONVENTION, CONSCIOUS of the need to preserve the human environment in general and the marine environment in particular, RECOGNIZING the serious threat posed to the marine environment by oil pollution incidents involving ships, offshore units, sea ports and oil handling facilities, MINDFUL of the importance of precautionary measures and prevention in avoiding oil pollution in the first instance, and the need for strict application of existing international instruments dealing with maritime safety and marine pollution prevention, particularly the International Convention for the Safety of Life at Sea, 1974,as amended, and the International Convention for the Prevention of Pollution from Ships, 1973, as modified by the Protocol of 1978 relating thereto, as amended, and also the speedy development of enhanced standards for the design, operation and maintenance of ships carrying oil, and of offshore units, MINDFUL ALSO that, in the event of an oil pollution incident, prompt and effective action is essential in order to minimize the damage which may result from such an incident, EMPHASIZING the importance of effective preparation for combating oil pollution incidents and the important role which the oil and shipping industries have in this regard, RECOGNIZING FURTHER the importance of mutual assistance and international...

Words: 4527 - Pages: 19

Premium Essay

Writing Essay Fema

...Chemical Release Activity: Where Do I Fit? Unit 2: Overview of the Principles of Emergency Management and the Integrated Emergency Management System Introduction and Unit Overview FEMA Mission and Purpose Response Authorities History Principles of Emergency Management Recent Changes to Emergency Planning Requirements Why an Integrated Emergency Management System? Emergency Management Concepts and Terms Partners in the Coordination Network Activity: Partners in the Coordination Network Emergency Management in Local Government Activity: Where Is Emergency Management in My Community? Unit 3: Incident Management Actions Introduction and Unit Overview Introduction to the Spectrum of Incident Management Actions Prevention Preparedness Response Activity: Response Operations Recovery Mitigation Unit 4: Roles of Key Participants Introduction and Unit Overview The Role of the Local Emergency Program Manager State Emergency Management Role How the Private Sector and Voluntary Organizations Assist Emergency Managers Federal Emergency Management Role The National Response Framework Activity: Emergency Management Partners Emergency Management Functional Groups Case Study: Emergency Management Coordination Unit 5: The Plan as a Program Centerpiece Introduction and Unit Overview What Is an EOP and What Does It Do? Activity: Where Do I Fit Into the EOP? Case Study: An EOP in Action Importance of the Hazard Analysis to the Planning...

Words: 35531 - Pages: 143