CYB-690 Incident Response Management Plan: Procedures and Strategies

Verified

Added on 2022/09/16

AI Summary

This report presents a comprehensive incident response plan designed for effective management of security incidents. The plan outlines procedures for initially identifying and documenting incidents using monitoring systems like firewalls and intrusion detection systems, followed by alerting relevant stakeholders, including tactical operations managers and internal/external parties. The report details steps to investigate breaches, mitigate harm, and prevent future incidents, emphasizing risk assessment and enforcement mechanisms. It also covers assessing organizational damage, estimating costs, and containment strategies. Finally, the plan includes procedures for reviewing and updating policies, ensuring preparedness and continuous improvement in incident response capabilities. The plan is designed to minimize damage, and prevent future incidents.

Running head: INCIDENT RESPONSE MANAGEMENT
INCIDENT RESPONSE MANAGEMENT
Name of the Student:
Name of the University:
Author Note:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1INCIDENT RESPONSE MANAGEMENT
Incident Response Plan
Purpose
Purpose of this incident response plan is for planning, responding to, managing as well as
escalating crucial incident effectively and quickly, bringing this under control as well as limiting
impact of the incident.
Scope
The procedures are totally designed for management of every incident which have
impacted on or have potential in impacting the services as well as operations along with
environment and property (Thompson, 2018). The incident consists of hazards or physical
actions as well as other forms that might cause major damage to the operations and service.
Procedures for initially identifying as well as documenting incident
Focus of the particular phase is monitoring security incidents in order for detecting,
alerting as well as reporting on security incidents.
Monitor: The security events should be monitored in the security environment by using
firewalls, data loss prevention and intrusion detection and prevention systems. All the security
events within the network should be carefully monitored for detecting or preventing any kind of
security incidents (Wertheim, 2019).
Detect: Security incidents should be detected properly by correlating the alerts in SIEM solution.
Any kind of security incident must be detected as early as possible for preventing any kind of
damage to the network or the system.

2INCIDENT RESPONSE MANAGEMENT
Alert: Incident ticket is created by the analysts, then the initial findings are documented and
finally initial incident classification is assigned. After identifying any kind of security threats, the
management, tactical operation manager, internal as well as stakeholders should be informed
immediately about the incident (McNeil, et al., 2018).
Report: The reporting process must consist of accommodation of the reporting escalations.
Every details of the security incident should be documented in the report.
Procedure for informing tactical operations manager, internal as well as external
stakeholders
Being complicated by nature, the cyber incidents consist of several internal as well as
external stakeholders that complicates further activities of crisis management. As the
stakeholders constituent disclosure’s objects, the information of security incident should be
informed to the internal as well as external stakeholders along with the tactical operations
manager. Precise set for stakeholders depend upon specific case. Every stakeholder group might
need different notifications with respect to time, methods and content (Thompson, 2018).
Tactical operations manager along with internal as well as external stakeholders should be fully
and quickly informed of impact of security incident once detected. By informing the authorities
and management as quickly as possible, the damage of security incident could be minimized and
steps could be taken for preventing further such kind of security incidents.
Procedures to investigate the breach, to mitigate harm to individuals, and to protect
against further breaches
It is crucial that the covered entities respond properly to potential security breaches for
avoiding or minimizing their liability. Immediate action should be taken for mitigating effects of

3INCIDENT RESPONSE MANAGEMENT
security incident. The security breach should be detected as early as possible and the breach
should be investigated properly in details. The reasons for the security breach should be detected
for preventing from any further security breach. Prompt action might help in avoiding or
mitigating further security incidents from occurring. It is required in mitigating security
incident’s harmful effects to extent practicable (Stamper, Hayslip & Bonney, 2019). Mitigation
might consist of retrieving information of the security incident and taking necessary steps for
making sure that such security incident does not take place again. Necessary actions such as
securing the network system is required to make sure there is not any further security incidents
taking place. Risk assessment should be performed which should consider all the factors which
could cause a security breach and necessary steps should be taken for covering these crucial
factors.
Enforcement mechanisms for breaches and non-adherences
One of main purpose of enforcement mechanism is ensuring data protection law’s
consistent application. This provides data protection’s high level as well as legal certainty while
handling data. Procedures needs to be established to monitor compliance as well as ensuring that
they are resourced adequately. The procedures are provided with enforcement powers’ broad
range which includes notifying data processors or data controllers of alleged breach of law of
data protection, for carrying out investigations through audits of systems and networks, for
imposing definitive or temporary ban over processing and for imposing administrative fines
(Thompson, 2018). If more than single entity is responsible for same damage, every entity
should be considered to be liable. The solution would enable private individuals in seeking
compensation.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4INCIDENT RESPONSE MANAGEMENT
Procedures to assess the damage to the organization and estimate both the damage cost and
the cost of the containment efforts
Containment is essential before a security incident increases damage or overwhelms
resources. Maximum security incident needs containment, as this is as essential consideration in
course to handle every security incident. Time is provided by containment to develop
remediation strategy. Crucial part for containment is the decision making. The decisions are
quite easier in making if predetermined strategies as well as procedures are there for containing
security incident. Strategies of containment vary depending on kind of security incident. Strategy
to contain infection of malware is totally different when compared with DDos attack on the
network (Roberts & Brown, 2017). The organizations must create strategies of containment for
every primary incident type, having criteria documented for facilitating decision making. The
criteria to determine appropriate strategy consists of theft or potential damage of resources,
service availability, need of evidence preservation, resource as well as time required for
implementing strategy, duration of solution and effectiveness of strategy.
Procedures to review response and update policies
Evidence should be gathered during securing incident for resolving the security incident.
Incident response is structured methodology to handle security incidents, cyber threats and
security breaches. During security incident, the security teams would face several unknown and
frenzy of the activities. Priority is preparing in advance through putting concrete response plan.
The organizations must establish a response plan before significant security incident takes place.
Everything should be encompassed by monitoring attack vectors, prioritization as well as
looking of signs of security incident (Athinaiou, et al., 2018). The already existing policies of the
organizations should be updated for preventing any kid of security incident. Containment

5INCIDENT RESPONSE MANAGEMENT
strategy should be developed, systems should be identified and mitigated in case of security
incident. Necessary steps should be taken for making sure such security incidents do not occur
again.

6INCIDENT RESPONSE MANAGEMENT
References
Athinaiou, M., Mouratidis, H., Fotis, T., Pavlidis, M., & Panaousis, E. (2018, September).
Towards the Definition of a Security Incident Response Modelling Language.
In International Conference on Trust and Privacy in Digital Business (pp. 198-212).
Springer, Cham.
McNeil, C. S., Sanzero, G. V., Noel, T. G., & Halkjaer-Knudsen, V. (2018). Novel Exercise
Technology to Improve Incident Response Readiness (No. SAND2018-10876C). Sandia
National Lab.(SNL-CA), Livermore, CA (United States); Sandia National Lab.(SNL-
NM), Albuquerque, NM (United States).
Roberts, S. J., & Brown, R. (2017). Intelligence-Driven Incident Response: Outwitting the
Adversary. " O'Reilly Media, Inc.".
Stamper, M., Hayslip, G., & Bonney, B. (2019). TEN OBSERVATIONS ON WHY INCIDENT
RESPONSE NEEDS YOUR ATTENTION. EDPACS, 59(2), 19-23.
Thompson, E. C. (2018). Incident response frameworks. In Cybersecurity incident response (pp.
17-46). Apress, Berkeley, CA.
Thompson, E. C. (2018). The Incident Response Strategy. In Cybersecurity Incident
Response (pp. 65-70). Apress, Berkeley, CA.
Thompson, E. C. (2018). The Significance of Incident Response. In Cybersecurity Incident
Response (pp. 1-10). Apress, Berkeley, CA.
Wertheim, S. (2019). How to Create an Incident Response Plan. The CPA Journal, 89(11), 70-
71.