This document discusses the steps taken during an incident response plan.
1) The person who discovers the incident will report it to someone who has access to this list. In turn, that person shall follow the instructions in this plan to properly document and report the incident. We anticipate the following initial contact points for incidents:
a) The helpdesk
b) IT Staff
c) IT Security Staff
d) A manager
e) A business partner
f) An outside source.
2) The responder will log:
a) Time of the call
b) The nature of the incident
c) What equipment was involved
d) How the incident was detected
e) When the event was first noticed that supported the idea that the incident occurred
3) The IT security staff responsible for incident response will call those designated on the list as appropriate for the case at hand. He/she will
contact the incident response manager using e-mail. The staff member could possibly add the following: name of system being targeted, along with operating system, IP address, and location.
4) Contacted members of the incident response team will meet or discuss the situation over e-mail and determine a response strategy.
a) Is the response urgent?
b) Is the incident real or perceived?
c) Will the response alert the attacker and do we care?
d) What type of incident is this? Example: virus, worm, intrusion, abuse, damage.
e) What data or property is threatened and how critical is it?
f) What system or systems are targeted? Where are they located physically and on the network? Incident Response Plan for PPC ITEC 6620 Information and Systems Security
5) An incident ticket will be created. The incident will be categorized into the highest applicable level of one of the following categories:
a) Category one - A threat to public safety or life.
b) Category two - A threat to sensitive data.
c) Category three - A threat to computer systems.
d) Category four - A disruption of services.
6) Team members will establish and follow one of the following procedures basing their response on the incident assessment:
a) Worm response procedure
b) Virus response procedure
c) System failure procedure
d) System abuse procedure
e) Property theft response procedure
The team may create additional procedures which are not foreseen in this document. If there is no applicable procedure in place, the team must document what was done and later establish a procedure for the incident.
7) Team members will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel should be performing interviews or examining evidence, and the authorized personnel may vary by situation and the organization.
8) Team members will restore the affected system(s) to the uninfected state.
9) Documentation-the following shall be documented:
a) The category of the incident
b) How the incident occurred, whether through e-mail, firewall, etc.
c) Where the attack came from, such as IP addresses and other related information about the attacker
d) What the response plan was
e) What was done in response?
10) Assess damage and cost-assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts.