Victor Sabani
ITT Technical Institute
1. Introduction
2. The creation of this Computer Incident Response Team (CIRT) will provide the necessary tools and experience needed for when an incident occurs. Due to the sensitive nature of the information contained herein, this manual is available only to those persons who have been designated as members of one or more incident management teams, or who otherwise play a direct role in the incident response and recovery processes.
3. Unless otherwise instructed, each plan recipient will receive and maintain two copies of the plan, stored as follows:
One copy at the plan recipient's office
One copy at the plan recipient's home
4. It is the responsibility of each manager and employee to safeguard and keep confidential all corporate assets.
5. The following teams will appear throughout this plan:
Threat Assessment Center
Executive Incident Management Team
Incident Management Team
6. Preparation
7. This phase as its name implies deals with the preparing a team to be ready to handle an Incident at a moment’s notice. An incident can range from anything such as a power outage or hardware failure to the most extreme incidents such as a violation of organizational policy by disgruntled employees or being hacked by state sponsored hackers (Beijtlich).
8. There are specific elements in this section that help this team against any potential issues where their performance maybe hindered in as a result;
9. a. Policy – Written policies are one of the first steps in the inception of this team. A policy provides a written set of principles, rules, or practices within an organization; Policies are one of the keystone elements that provide guidance as to whether an Incident has occurred in an organization. It can also show management buy-in and support of the team. A simple login banner can be one way to ensure that individuals attempting to log into an organization’s network will be aware of what is expected when utilizing an organization’s information assets. Without clear policies, one could leave their organization legally vulnerable to law suits, such as an employee being fired for looking at porn or watching YouTube at work when there was no policy against such behavior within the organization and provided the opportunity for the said individual to be able to file an improper termination lawsuit.
10. b. Response Plan/Strategy –Prioritization of incidents should be based upon organizational impact (Incident Response Process), for example a single workstation being non-functional can be considered minor, whereas a server being down could be considered a moderate impact (assuming there are backup servers for failover), and data being stolen directly from human resources that contain privileged information as high. The prioritization of the types of incidents based upon organizational impact can help build the case to receive management buy-in, because without management support then it is likely that the CIRT may not be given the resources necessary to properly handle a crisis.
11. Planning scenarios / Training
12. This plan was developed to respond to an incident that could render the Defense Logistics Information Services out of service or inaccessible. In addition, it is designed to respond to situations other than the above scenarios, e.g., Data stolen from Human Resources. The plan is designed to respond to scenarios such as the following:
1. No access to buildings or floors at the specific location
2. Loss of data communications and the network infrastructure
3. Loss of technology
4. Loss of professional staff
13. Limited or no access to the building
14. Any incident that renders the Defense Logistics Information Services either totally inaccessible/unusable or partially accessible falls under this category.
15. This scenario could produce one or more of the following impacts:
Loss of the business facility or the facility is rendered inaccessible
Loss of access to