Incident Response Plan Example
This document discusses the steps taken during an incident response plan. To create the plan, the steps in the following example should be replaced with contact information and specific courses of action for your organization.
1)The person who discovers the incident will call the grounds dispatch office. List possible sources of those who may discover the incident. The known sources should be provided with a contact procedure and contact list. Sources requiring contact information may be:
b)Intrusion detection monitoring personnel
c)A system administrator
d)A firewall administrator
e)A business partner
g)The security ...view middle of the document...
The staff member will call those designated on the list. The staff member will contact the incident response manager using both email and phone messages while being sure other appropriate and backup personnel and designated managers are contacted. The staff member will log the information received in the same format as the grounds security office in the previous step. The staff member could possibly add the following:
a)Is the equipment affected business critical?
b)What is the severity of the potential impact?
c)Name of system being targeted, along with operating system, IP address, and location.
d)IP address and any information about the origin of the attack.
6)Contacted members of the response team will meet or discuss the situation over the telephone and determine a response strategy.
a)Is the incident real or perceived?
b)Is the incident still in progress?
c)What data or property is threatened and how critical is it?
d)What is the impact on the business should the attack succeed? Minimal, serious, or critical?
e)What system or systems are targeted, where are they located physically and on the network?
f)Is the incident inside the trusted network?
g)Is the response urgent?
h)Can the incident be quickly contained?
i)Will the response alert the attacker and do we care?
j)What type of incident is this? Example: virus, worm, intrusion, abuse, damage.
7)An incident ticket will be created. The incident will be categorized into the highest applicable level of one of the following categories:
a)Category one - A threat to public safety or life.
b)Category two - A threat to sensitive data
c)Category three - A threat to computer systems
d)Category four - A disruption of services
8)Team members will establish and follow one of the following procedures basing their response on the incident assessment:
a)Worm response procedure
b)Virus response procedure
c)System failure procedure
d)Active intrusion response procedure - Is critical data at risk?
e)Inactive Intrusion response procedure
f)System abuse procedure
g)Property theft response procedure
h)Website denial of service response procedure
i)Database or file denial of service response procedure
j)Spyware response procedure.
The team may create additional procedures which are not foreseen in this document. If there is no applicable procedure in place, the team must document what was done and later establish a procedure for the incident.
9)Team members will use forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel should be performing...